HIPAA Audit Program Phase II – Have You Been Selected?

HIPAAAuditProgram

Phase II of the HIPAA Audit Program has begun, with many covered entities and business associates receiving a “Audit Entity Contact Verification” message from the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR). The communication requires the individual recipient to verify that he or she is the primary contact for the HIPAA Audit Program.

Does the receipt of this form mean that your entity has been selected for an audit? Not necessarily.

Although receipt of the communication is not a guarantee of an audit,  it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.  According to OCR, the process for the HIPAA Audit Program is as follows:

  1. Contact Verification: OCR will send the Audit Entity Contact Verification to a covered entity or business associate to determine the entity’s primary contact for HIPAA purposes. Covered entities and business associates who receive the form should respond and not ignore the OCR’s request for verification.  The OCR has made it clear that entities who do not respond could still be subject to an audit.
  1. Questionnaire: After the entity’s contact information is verified, the OCR will send a questionnaire to each covered entity and business associate to determine the size, type, and operations of the entity.  Covered Entities will also be required to identify each of their business associates. OCR will use this data to develop the pool of potential auditees for the HIPAA Audit Program.
  1. Selection: OCR will then randomly select entities from the pool for audit.  If selected, the entity will have to visit an OCR web site and upload its HIPAA privacy policies, security policies, and most recent risk assessment. Based on the information uploaded, it is possible that OCR will arrange for an on-site visit of the entity.

The bottom line is that your receipt of the Audit Entity Contact Verification message does not necessarily mean that your entity will be selected for a HIPAA audit.  However, your entity will likely be placed into the pool from which OCR will select entities to audit.

If nothing else, the receipt of the Audit Entity Contact Verification communication should motivate your entity to review current HIPAA privacy and security policies and ensure that they conform to the requirements of HIPAA and the HITECH Act.  In addition, your entity should perform an updated risk analysis to uncover and address gaps in your HIPAA security policies and procedures.

A basic risk analysis should include the following components:

  1. Inventory: An inventory listing all of your information assets that contain health information (e.g. computers, laptops, smartphones, etc.);
  2. Threats: Potential threats to the security of your information assets;
  3. Controls: Current controls to safeguard the assets against the threats;
  4. Vulnerabilities: Any vulnerabilities in the controls;
  5. Likelihood: The likelihood that the threats will exploit the vulnerabilities;
  6. Impact: The impact if the vulnerabilities are exploited (e.g. how much health information is at risk); and
  7. Risk: The overall risk of a threat based the likelihood and potential impact of the threat’s exploitation of a vulnerability.

It is important to develop policies and procedures to address any risks that your entity uncovers as a result of the risk analysis.

Although the HIPAA Audit Program can be a source of anxiety for covered entities and business associates, it can also be a great opportunity to update HIPAA policies and procedures and ensure that your entity is doing everything possible to safeguard health information.

For more information about the HIPAA Audit Program and HIPAA compliance issues, please contact Casey Moriarty.

Naughty or Nice – 60 Day Overpayment Reporting Rule

According to a recent New York District Court decision, whether providers are subjected to an enforcement action under the False Claims Act for failing to report and return an overpayment within the sixty-day window should turn on whether they have been naughty or nice after learning of the potential of an overpayment.  In this case, at least at the motion to dismiss stage, the court concluded that the providers had been naughty, which, based on the factual recitations seemed a pretty easy call.  Essentially, the providers were alerted to the potential of substantial overpayments by an employee tasked with examining an overpayment issue.  Four days after providing his employer with a spreadsheet detailing the overpayments, the employee was fired and his spreadsheet “filed”.  A couple months later, the employee filed his qui tam action in which the United States and the state of New York eventually intervened.

 

Naughty or nice became important because of the court’s analysis of what constitutes “identification” of an overpayment for purposes of triggering the 60 day report and return obligation.  In this regard, according to the decision, at least one thing is certain.  The answer is not when the amount of the overpayment is finally calculated with certainty.  In response to this argument by the defendants, the court observed this would create ” . . . a perverse incentive to delay learning the amount due . . . relegating the sixty-day period to merely the time within which they would have to cut the check.”

 

The Government took the position that an overpayment is identified when the recipient is put on notice that a certain claim may have been overpaid.  The court agreed that defining “identified”  ” . . . such that the sixty day clock begins ticking when a provider is put on notice of a potential overpayment , rather than when the overpayment is conclusively ascertained, is compatible with the legislative history of the FCA and the FERA highlighted by the Government.”

 

The court characterized the rule derived from a review of legislative history as “unforgiving”, noting that it provides no leeway for the recipient of an overpayment who ” . . . struggles to conduct an internal audit, and reports its efforts to the Government within the sixty-day window, but has yet to isolate and return all overpayments sixty-one days after being put on notice of potential overpayments.”  ”  . . .it nowhere requires the Government to grant more leeway or more time to a provider who fails timely to return an overpayment but acts with reasonable diligence in an attempt to do so.”  Any relief for the provider that is diligently attempting to determine whether the potential overpayment is factually and legally an actual overpayment and, if so, the amount of the overpayment to be returned rests with prosecutorial discretion, which according to the court, ” . . . would counsel against the institution of enforcement actions aimed at well-intentioned health care providers working with reasonable haste to address erroneous overpayments” because in such a  situation the provider would not have acted with reckless disregard, deliberate ignorance or actual knowledge of the overpayment, a requirement of a FCA claim.

 

In fact, in comments to the court in this case, the Government made clear that this was not a case of a provider working diligently on the claims and on the sixty-first day is still scrambling with its spreadsheets.  “You know, the Government wouldn’t be bringing that kind of claim.”

So the moral of the story is if a messenger notifies you of a potential overpayment, be nice, act with diligence to investigate and quantify any overpayment, and for goodness sake don’t shoot the messenger.

To learn more about refunding overpayments please contact Greg Montgomery or Adam Snyder.

 

WHOA ME! TUOMEY!

For the second time in the past three years, Tuomey Healthcare System found its fate in the hands of the 4th Circuit Court of Appeals as a Qui Tam Defendant under the False Claims Act (“FCA”). Only this time it did not fare quite as well in what amounts to a crushing defeat. Back in 2012, pending retrial on allegations that Tuomey violated the FCA, the 4th Circuit Court of Appeals vacated a $45 million judgment stemming from violations of the Stark Law, see prior article here.  Now, on July 2, 2015, the 4th Circuit affirmed the district court’s decision on retrial that Tuomey submitted 21,730 False Claims based on Stark Law violations and was thereby liable for $237,454,195 in damages and penalties. The 4th Circuit rejected Tuomey’s arguments that no reasonable jury could have concluded that Tuomey violated Stark or intended to submit False Claims and that it was entitled to a new trial based upon various assignments of error related to jury instructions and damages issues related to measurement and constitutional matters.

The result is stunning, and should give pause to health lawyers, consultants and healthcare executives who find themselves walking the tightrope between sound business judgment and the complicated maze of the Stark Law and other complex healthcare rules. Indeed, in his concurring opinion, Judge Wynn expressed distaste for the outcome:

But I write separately to emphasize the troubling picture this case paints: An impenetrably complex set of laws and regulations that will result in a likely death sentence for a community hospital in an already medically under-served area…..Health care providers are open to extensive liability, their financial security resting uneasily upon a combination of their attorneys’ wits [and] prosecutorial discretion.” [citations omitted]. Despite attempts to establish “bright line” rules,…the Stark law has proved challenging to understand and comply with.

This case is troubling. It seems as if, even for well-intentioned health care providers, the Stark Law has become a booby trap rigged with strict liability and potentially ruinous exposure – especially when coupled with the FCA.

Judge Wynn’s words were not lost on the majority:

Finally, we do not discount the concerns raised by our concurring colleague regarding the result in this case. But having found no cause to upset the jury’s verdict in this case and no constitutional error, it is for Congress to consider whether changes to the Stark Law’s reach are in order.

Short of congressional action, CMS recently announced Stark-related proposals [http://www.cms.gov/Newsroom/MediaReleaseDatabase/Fact-sheets/2015-Fact-sheets-items/2015-07-08.html] that could ease the burden of the law. Tuomey will need to find its relief elsewhere.

Stark Generally.

A physician may not make a referral to an entity for the furnishing of designated healthcare services (“DHS”) if the physician has a financial relationship with the entity, unless an exception applies. DHS include inpatient and outpatient hospital services. A referral does not include any DHS personally performed or provided by the referring physician. There is a referral, however, when the hospital bills a facility fee in connection with personally performed services. A financial relationship may exist through ownership or a compensation arrangement.

Tuomey’s Reaction to Business Challenges.

Tuomey is a nonprofit community hospital in Sumter, South Carolina, a mostly rural, medically underserved area. In the early 2000s, like so many other community hospitals, Tuomey faced the challenge of dropping outpatient volumes due to physicians performing procedures in their own offices or in ambulatory surgery centers. Tuomey’s future looked bleak and tens of millions in lost revenue was predicted. Tuomey developed a strategy to enter into part-time employment agreements with several previously-independent physicians on its medical staff. The arrangements were problematic for several reasons, without considering their current $237 Million price tag:

 

  • Compensation that varied year to year based on collections;
  • A requirement that Physicians perform outpatient procedures at Tuomey facilities;
  • Productivity bonuses of eighty percent of collections and an additional incentive bonus up to 7 percent of the productivity bonus;
  • Physicians were paid more than their collections, despite fair market value opinions from valuation experts;
  • Tuomey provided malpractice coverage, and performed the billing;
  • Ten year terms with 2 year back-end non-competes;
  • Physician who refused the arrangement and raised specific Stark issues (e.g. the Qui Tam Plaintiff in this case, Dr. Drakeford); and
  • Competing expert legal opinions from top health lawyers who were kept in the dark from one another and rejection and lack of diligence regarding negative opinions from counsel

 

Following two trials and two appeals, the 4th Circuit affirmed the $237 Million jury verdict and concluded that the trial court correctly granted a motion for a new trial, and rejected Tuomey’s various claims of error. As discussed below, the Court considered and commented on several important Stark and FCA issues.

Significant Aspects of 4th Circuit’s Opinion

 

Testimony of Kevin McAnaney:

 

Following the first Tuomey trial in 2010, the jury found that Tuomey had violated the Stark Law, but not the FCA. The trial court granted a post-trial motion based on what it viewed as its substantial error in excluding the testimony of Tuomey’s Senior Vice President and Chief Operating Officer, Gregg Martin. The 4th Circuit agreed that a new trial was proper, but reached that decision on slightly different grounds – the trial court’s exclusion of Kevin McAnaney’s testimony. Mr. McAnaney, a lawyer in private practice, was retained by Dr. Drakeford and Tuomey to advise of the Stark Law risks. Mr. McAnaney previously wrote a substantial portion of the Stark Law regulations in his role as Chief of the Industry Guidance Branch of DHHS Office of General Counsel to the Inspector General. The Court and the jury, apparently, found the McAnaney testimony to be particularly probative of the knowledge element of the FCA. McAnaney advised that the Tuomey employment agreements raised significant “red flags” under the Stark Law, such as compensating physicians in excess of their collections, thus making the arrangement “an easy case to prosecute.”

 

On McAnaney’s testimony, the 4th Circuit observed and concluded the following:

 

In the first trial, the jury did not hear from McAnaney and found for Tuomey on the FCA claim. When the case was retried, McAnaney was allowed to testify and the jury found for the government. Coincidence? We think not.

Indeed, it is difficult to imagine any more probative and compelling evidence regarding Tuomey’s intent than the testimony of a lawyer hired by Tuomey, who was an undisputed subject matter expert on the intricacies of the Stark Law, and who warned Tuomey in graphic detail of the thin legal ice on which it was treading[.]

Jury Reasonably Found Stark Violations:

 

It is unremarkable in a general sense that the 4th Circuit refused to set aside a jury verdict and find that no reasonable jury could have concluded that Tuomey violated Stark. Tuomey argued, unsuccessfully, that the only question that should have gone to the jury was whether the contracts, on their face, took into account the value or volume of anticipated referrals. The Court concluded that two components of the physicians’ compensation varied with the volume or value of referrals. The physicians were paid a base salary that was adjusted upward or downward in the subsequent year depending on collections from the prior year. The physicians were also paid a productivity bonus that was set at eighty percent of their collections. The Court concluded that it was “plain that a reasonable jury could find that the physicians’ compensation varied with the volume or value of actual referrals.” The Court also recalled its earlier opinion where it noted that the tainted referrals were the “facility component of the physicians’ personally performed services, and the resulting facility fee billed by Tuomey based upon that component.”

False Claims Act

 

The Court rejected Tuomey’s claim that no reasonable jury could have found a violation of the FCA because it acted on the advice of counsel. The court again pointed to the testimony of attorney McAnaney and amplified the District Court’s conclusion that a “reasonable jury could have found that Tuomey possessed the requisite scienter once it determined to disregard McAnaney’s remarks.” Tuomey’s ‘advice of counsel’ defense ultimately failed because it was unable to show that there had been a full disclosure of all pertinent facts to and among legal counsel, and a lack of good faith reliance on just the favorable legal advice. The Court was not persuaded by Tuomey’s claims that it had, following Mr. McAnaney’s negative view, retained top national health lawyers from reputable firms to complete the transaction.

Tuomey Unsuccessfully Challenges Jury Instructions and Damages Award

 

The Court rejected Tuomey’s various claims of error related to jury instructions. Tuomey argued that the trial court failed to limit the jury’s inquiry to whether or not the contracts, on their face, took into account value or volume of anticipated referrals. The Court emphasized that the jury could consider the parties’ intent to determine if an arrangement took into account volume or value of referrals, but intent alone would not be enough to create a violation.

 

Tuomey argued that the jury should have been separately instructed on the knowledge element in the indirect compensation arrangement definition under Stark and in the FCA. The court found that any such error here was harmless since the jury’s conclusion that Tuomey possessed the requisite scienter under the FCA and also possessed knowledge that the Physicians’ aggregate compensation varied with referrals, a necessary element of the definition of an indirect compensation arrangement under Stark. 42 U.S.C. § 411.354 (c)(2)(iii).

 

Tuomey claimed that the trial court erred by failing to instruct the jury that disputed legal questions are not false claims under the FCA. As with all providers who bill Medicare, Tuomey was required to certify its compliance with laws, to include the Stark Law. Because the jury found that Tuomey violated the Stark Law, the certification of compliance was false, and therefore all tainted claims were false. This seems like fertile ground for further appellate challenge.

 

The Court rejected Tuomey’s challenge to the trial court’s failure to give an instruction that Tuomey was entitled to rely on legal advice even if it turned out to be wrong. The Court found that other jury instructions regarding knowledge under the FCA already were sufficient to cover Tuomey’s concern in this regard.

 

Finally, the Court rejected various challenges by Tuomey regarding the whopping $237,454,195 judgment. It argued that the trial court improperly calculated the penalty, that it incorrectly measured damages, and that the award violated the 5th and 8th Constitutional Amendments. The Court rejected all of Tuomey’s arguments, and found that the jury was properly instructed to consider all tainted hospital claims – both inpatient and outpatient, to determine prohibited referrals. The Court further concluded that the Government was allowed to rely on summary evidence of referrals, perhaps due in part to the fact that Tuomey did not offer its own expert as to damages calculations. The court rejected Tuomey’s challenge that the Government was not damaged, and rejected Tuomey’s claims that the award was unconstitutional under the Due Process Clcause of the 5th Amendment and the Excessive Fines Clause of the 8th Amendment.

 

The Court rejected Tuomey’s argument that if it submitted false claims that the only false claims were its annual cost report submissions and not the 21,730 UB-92/04 forms that it submitted. The Court concluded that Tuomey violated the FCA each time it submitted a claim for reimbursement because it was knowingly asking the government to pay an amount that, by law, it could not pay. Again, look for this issue to be prominently featured in a future appellate review of this case.

 

Takeaways from Tuomey

While Tuomey presents staggering results, it does represent a somewhat unusual set of facts. While it provides a strong reminder that hospitals should critically view their arrangements with referring physicians, it does not preclude the development of sound business and legal strategies within a complicated regulatory legal framework. The following are among the valuable lessons learned from Tuomey:

 

  • Courts and juries may look beyond the four corners of an agreement to determine if an arrangement takes account of volume or value;
  • Courts and juries may look beyond supporting items such as self-serving appraisals to find legal violations; Lawyers and their clients are best-advised to validate the assumptions supporting such appraisals;
  • There is a reason that nearly every FCA matter settles and that is due to the shear potential downside, as evidenced by this case;
  • Review arrangements with physicians and consider them and their fair market value support in the context of the history and intent that lead to the arrangements, to determine if they would pass Tuomey-like scrutiny;
  • Take care when bringing in the next lawyer to rule out a prior negative legal opinion or to break the tie between two competing legal opinions – who is the client? Where is the attorney-client privilege? How will all lawyers’ opinions be considered by the lawyers and the client?

 

Adam Snyder is Chair of the Ogden Murphy Wallace Business Department and is a Part-time/Adjunct Faculty member of the University of Washington School of Law. For additional information regarding Tuomey, Stark, or the False Claims Act, please contact Adam Snyder or Greg Montgomery.

 

2014 OIG Work Plan Contains New Priorities Specific to Hospitals

The Department of Health and Human Services, Office of the Inspector General (OIG) recently released its Fiscal Year (FY) 2014 Work Plan.  The Plan contains new priorities specific to Hospitals in areas related to Policies and Practices, Billing and Payments, and Quality of Care and Safety.  For a complete copy of the OIG 2014 Work Plan, please click here.

The OIG Work Plan provides a description of what the OIG will be focusing on in the coming year, giving providers insight into identifying corporate compliance risk areas and providing focus for ongoing efforts relating to compliance program activities, audits, and policy development.  Some of the hospital-specific priority areas identified as ‘New’ include the following:

A.      Policies and Practices

  1.  2 Midnight Rule: As of FY 2014, physicians should admit inpatients where they expect the patient’s care to last at least 2 nights in the hospital.  This modification is due to the OIG’s previous findings of over payments for inpatient stays, inappropriate billings and inconsistent billing practices.  OIG plans to review the impact of this new admission criteria and how billing varies among hospitals.
  2. Defective Medical Devices: OIG will review the increased costs to Medicare resulting from additional services necessitated by the use of defective medical devices.
  3. Comparison of Provider-Based and Free-Standing Clinics:  OIG will compare the payments made in provider-based settings and free-standing clinics with respect to similar procedures to determine the potential impact to the Medicare program for hospitals claiming provider-based status, and presumably, whether providers claiming provider-based status meet the criteria in 42 CFR § 413.65(d).

B.      Billing and Payments

  1.  Outpatient Evaluation and Management Services:  OIG will review payments made for outpatient E/M services to determine if they were appropriately billed as “new” or “established.”  Patients are generally considered “new” unless they were seen as a registered inpatient or outpatient within the past 3 years.
  2. Cardiac Catheterization and Heart Biopsies:  Billings for right heart catheterizations will be reviewed to determine if they were appropriately billed separate and apart from billings for heart biopsies.
  3. Payments for Patients Diagnosed with Kwashiorkor:  Due to the high level of reimbursement, billings for Kwashiorkor will be reviewed to determine whether diagnoses are supported by the medical record.
  4. Bone Marrow or Stem Cell Transplants: OIG will review procedure and diagnosis codes to determine the appropriateness of bone marrow and stem cell transplantation.

C.      Quality of Care and Safety

  1. Pharmaceutical Compounding:  In light of a recent meningitis outbreak resulting from contaminated injections of compounded drugs, OIG will review the oversight and accreditation assessment of pharmaceutical compounding in Medicare-participating acute care hospitals.
  2. Review of Hospital Privileging:  OIG will review how hospitals consider medical staff candidates prior to granting initial privileges, verification of credentials, and review of the National Practitioner Databank.

For additional information regarding the 2014 OIG Workplan or hospital/corporate compliance please contact Adam Snyder.