Please be advised that contacting Ruder Ware by e-mail does not create an attorney-client relationship. If you contact the firm by e-mail with respect to a matter where the firm does not already represent you, any information which you disclose to us may not be regarded as privileged or confidential.


Accept   Cancel

Please be advised that contacting Ruder Ware by e-mail does not create an attorney-client relationship. If you contact the firm by e-mail with respect to a matter where the firm does not already represent you, any information which you disclose to us may not be regarded as privileged or confidential.


Accept   Cancel

PAL Login

linkedin.jpgyoutube.jpgvimeo.jpgtwitter_off.png View Ruder Ware

Search Results

Searching for Articles by John H. Fisher, II
John H. Fisher, II
Attorney
Wausau Office
.
Found 55 Results.

Ambulatory Surgery Center (ASC) Case Demonstrates Differential Value Theory of Remuneration

Posted on April 11, 2017, Authored by John H. Fisher, II, Filed under Health Care

A relatively recent case involving buy-in terms in an ambulatory surgery center demonstrates how different valuations for referral sources and non-referral sources can be evidence of remuneration under the Medicare Anti-Kickback Statute (42 U.S.C. § 1320a-7b(a)-(b)).  The case also demonstrates how the initial investment terms that favor referral sources can foreclose reliance on safe harbor regulations. The case involved an ambulatory surgery center management company that purchased an interest in an ambulatory surgery center.  The company then offered shares of the company for investment to physicians who were in a position to refer surgical cases to the surgery center.  The physician investment was structured to meet the terms of the safe harbor regulations for ambulatory surgery center investments (“ASC Safe Harbors”).  The ASC Safe Harbors provide protection from remuneration received by a referring physician as a return on investment as long as the physician meets certain minimum practice revenue and surgical volume requirements. Physician investors must generally receive at least 1/3 of their practice income from the provision of surgical procedures and perform at least 1/3 of their surgical procedures in the center in which they hold an investment interest. The problem with the way the investment interest was structured is the different valuation that applied to the purchase made by the management company and the investment offer made to the referring physicians.  The management company purchased its investment at a much higher price than was offered to the physicians.  The differential valuation violated a threshold requirement of the ASC Safe Harbors that prohibits the initial investment interest to be based, in whole or in part, on the volume or value of referrals the investor might make to the entity.  It was very difficult for parties to justify the different value applied to the physician investment.  The only apparent difference appeared to be the physician investors were the referral sources for the surgery center. This case specifically involved an ambulatory surgery center investment but the concept of differential valuation could apply in other situations involving the Anti-Kickback Statute.  Different values paid to or received from referral sources and non-referral sources can suggest that at least one of the reasons for the differential is the volume or value of potential referrals.  This points out a general area of risk assessment for health care providers.  Areas where different pricing is applied to referral sources and non-referral sources could signify a potential violation of the Anti-Kickback Statute. Other Blogs and Articles Involving Ambulatory Surgery Centers Enforcing ASC Exclusion Provisions While Minimizing Legal Risk – Rethinking Strict Application of the Safe Harbors to Exclusion Decisions Ambulatory Surgery Center Compliance Federal Settlement Raises Issues for Physician Owned Surgery Centers Ambulatory Surgery Center – Anti-kickback Issues and Safe Harbor Regulation Compliance Ambulatory Surgery Center Compliance Federal Settlement Raises Issues for Physician Owned Surgery Centers Ambulatory Surgery Center Compliance Legal Practice Ambulatory Surgery Center Advisory Opinions Ambulatory Surgery Center Radiologist Rules – Proposed Simplified By CMS Anesthesia Company Model Advisory Opinion 12-06  

Self-Disclosure Has Become a Normal Part of the Compliance Process

Posted on April 12, 2017, Authored by John H. Fisher, II, Filed under Health Care

As the Office of the Inspector General and Centers for Medicare & Medicaid Services make self-disclosure easier for providers, we have noticed an increase in the rate of cases that are being filed.  Assisting providers in making decisions whether to self-disclose, conducting internal investigations, and guiding the self-disclosure process when appropriate has become a large part of our compliance practice.  Here are just a few of the articles and other resources we have released regarding self-disclosure issues: Exercising Reasonable Care to Identify and Address Potential Overpayments Criminal Exposure for Failing to Repay Known Overpayment When to Use the OIG’s Self-Disclosure Protocols Excluded Party Cases Dominate OIG Published Self-Disclosure Settlements Self-Disclosure Process – Voluntary Self-Disclosure Decisions are not Always Easy When Does An Overpayment Become Fraud? How Simple Inattention Can Expose You to Penalties for Fraudulent Activities Provider Self-Disclosure Decisions – Voluntary Disclosure Process Provider Self-Disclosure Process For more information on the self-disclosure process and legal updates impacting this process, please check this blog for new posts.

Sally Yates was Already Famous for Changing the Focus of Compliance Investigations - The Yates Memorandum

Posted on April 5, 2017, Authored by John H. Fisher, II, Filed under Health Care

By now the whole world knows about Sally Yates.  We are likely to see a lot more of her as a central figure in Congressional investigations.  For some of us who deal with compliance investigations, Sally Yates was famous long before her refusal to defend the immigration ban.  She was the author of the famous “Yates Memorandum” that changed the focus of corporate investigations to require investigation of potential individual wrongdoing in order to receive cooperation credit from Federal prosecutors. The Yates Memo directs federal prosecutors, as well as civil attorneys investigating corporate wrongdoing, to maintain a focus on responsible individuals, recognizing that holding them accountable is an important part of protecting the public in the long term.  In fact, prosecutors are directed to first look at potential individual wrongdoing when investigating a case.  The new policy requires companies facing potential Federal civil and criminal charges to investigate individual wrongdoing and report it to the government in order to receive government cooperation credit.  The new federal policy applies to all federal criminal and civil prosecutions in all industries. The Yates Memo is the most recent in a line of actions by Federal prosecutors that began in the late 1990s that have increased the focus on seeking accountability from the individuals who perpetrate wrongdoing.  The Yates Memo resulted in an update to the U.S. Attorney’s Manual ("USAM") provisions covering Principles of Federal Prosecution of Business Organizations (USAM § 9-28.000).  Inclusion of principles into the USAM means the concepts in the Yates Memo are now operational and are required to be integrated into the prosecutorial decision making process across the country. 6 General Principles of the Yates Memorandum Principle 1:  “To be eligible for any cooperation credit, corporations must provide the Department all relevant facts about the individuals involved in corporate misconduct.” Principle 2:  “Both criminal and civil corporate investigations should focus on individuals from the inception of the investigation.” Principle 3:  “Criminal and civil attorneys handling corporate investigations should be in routine communication with one another.” Principle 4:  “Absent extraordinary circumstances, no corporate resolution will provide protection from criminal or civil liability for any individuals.” Principle 5:  “Corporate cases should not be resolved without a clear plan to resolve related individual cases before the statute of limitations expires and declinations as to individuals in such cases must be memorialized.” Principle 6:  “Civil Attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.”

OCR Settlement Lessons - Failing to Perform an Electronic Access Risk Analysis Before an Unauthorized Access Occurs

Posted on May 3, 2017, Authored by John H. Fisher, II, Filed under Health Care

Failure to conduct a risk assessment before a hacking incident occurred resulted in a $400,000 settlement between the Office of Civil Rights (OCR) and a Federally Qualified Health Clinic (FQHC).  The FQHC filed a breach report upon learning its employee emails had been hacked and the hacker had access to electronic health information of over 3,000 patients.  The OCR’s investigation that resulted from the breach disclosure revealed that required corrective action was taken in response to the breach but that the provider failed to conduct a timely risk analysis.  Furthermore, the provider failed to conduct an assessment of risks and vulnerabilities of ePHI prior to the breach and had not implemented corresponding risk management plans to address electronic risks.  Even when the provider conducted a risk analysis, OCR found the analysis to be insufficient to meet HIPAA security standards. Lesson 1 – Conduct an analysis of electronic risk vulnerabilities before an unauthorized access breach occurs. Lesson 2 – OCR considered that the provider was an FQHC and still imposed a $400,000 settlement amount. Lesson 3 – Do not overlook the HIPAA security rules.

Best Practices in Compliance Program Operation

Posted on April 4, 2017, Authored by John H. Fisher, II, Filed under Health Care

Given the increased importance of compliance, it is helpful for providers to get a feel for what constitutes “best practice” when operating a compliance program.  “Best Practices” is a term thrown around all of the time in the business world.  It is used in many contexts and takes on a variety of meanings depending on who is using it and for what purpose.  Wikipedia defines “best practice” as follows: Best practices are generally-accepted, informally-standardized techniques, methods or processes that have proven themselves over time to accomplish given tasks. Often based upon common sense, these practices are commonly used where no specific formal methodology is in place or the existing methodology does not sufficiently address the issue.  The idea is that with proper processes, checks and testing, a desired outcome can be delivered more effectively with fewer problems and unforeseen complications. In addition, a "best" practice can evolve to become better as improvements are discovered.  Best practice is considered by some as a business buzzword, used to describe the process of developing and following a standard way of doing things that multiple organizations can use.  http://en.wikipedia.org/wiki/Best_practice As I was thinking about the concept of “best practices” in health care compliance, the Wikipedia definition seems to fall a little short of what I would have in mind when discussing “best practices” in health care compliance programs. The Miriam-Webster Dictionary defines “Best” as the superlative form of “good.”  “Best” means “excelling all others” and “offering or producing the greatest advantage, utility, or satisfaction.”  I believe the definition from Wikipedia is an accurate depiction of what the term “best practices” has become in the business world.  The term has been thrown around loosely to the point it no longer carries the meaning of the plain words that make up the two word “buzzword.” In the health care compliance context, I believe it is not advisable to direct your efforts toward the standard “buzzword” meaning of “best practices.”  Instead, you should focus attempting to achieve the meaning of “best practices” that is tied to the superlative form of the word “good.”  You should not focus on the “we are doing what everyone else is doing” or the “what we are doing will pass by in most cases” version of best practices when looking at your compliance plan.  The consequences of that approach could easily come back to bite you in the superlative. In reality, you may never be able to meet the truly “best” standard.  However, the point of the compliance program requirement is you are trying to make your compliance program and your organization “the best” when it comes to compliance.  Here are a few tips to help you attempt to meet the “best practices” standard: Act as if you are under a Corporate Integrity Agreement.  Always assume the government is looking over your shoulder and you will be called upon at some point to justify the effectiveness of your compliance program. Follow the government guidelines to the “t”.  Familiarize yourself with the Federal Sentencing Guidelines and Office of Inspector General Industry Guidance and integrate these requirements into your compliance plan. Stay current with government releases, speeches, regulations, comments, advisory opinions, and all other communication that help to define your obligations. Make your compliance plan a “living and breathing” documents that is continually up for revision based on specific things you learn about your specific organizations. Make sure your compliance officer focuses on compliance and does not wear other hats that compete for time, attention or perspective. Make certain sufficient resources are devoted to compliance.  Adopt the view it is better to spend money on compliance than to pay for mistakes down the road. If there is an area where you are not able to achieve “best practices” for financial or other reasons, be prepared to justify your shortcomings.  Key to all of this is to operate as if you will someday be required to defend the effectiveness of your compliance program.  These are just a few tips to get you thinking about your compliance approach.  Health care reform has made compliance programs mandatory for the first time.  There are also multiple indications the government wants organizations to devote more to compliance as a way to save health care costs.  It is clearly time for organizations of all types and sizes to re-focus their efforts on compliance within their organizations.

When is a Physician Liable for Stark Law Violations?

Posted on March 30, 2017, Authored by John H. Fisher, II, Filed under Health Care

I frequently hear attorneys claim the Stark law applies equally to hospitals and physicians.  This position is sometimes taken in the process of negotiating a transaction between a hospital and a physician or physician group.  In this context it is limited to simple posturing to attempt to get a better financial deal in the negotiated arrangement.  This position takes on different and much more serious repercussions when taken in the context of addressing a potential compliance violation. Let me make it clear, Stark law applies to physicians.  It applies when physicians are the provider of designated health services.  It also potentially applies to physicians when they make referrals to hospitals or other providers of designated health services.  The potential liability to the physician is much different and more remote than the liability of the designated health service provider. The primary sanction for violating the Stark law is denial of payment of designated health services that flow from referrals made by a physician who has a prohibited financial arrangement with the DHS provider.  The Stark law is primarily a payment ban effective regardless of intent.  If there is a financial relationship with the physician and no exception exists to permit the referral, there is a violation and the provider of the designated health service is denied the right to seek payment for the prohibited services.  Prohibited billings result in an overpayment. The Affordable Care Act attaches additional penalties under the Federal False Claims Act if repayment is not made within 60 days after the designated health service provider discovers an over-payment occurred as a result of the Stark law infraction.  Penalties for failing to make timely repayment include triple the amount of the improper payment plus an additional $22,000 per claim.  In many cases the potential exposure to the designated health service provider can be astronomical and large enough to threaten the potential viability of their business.  However, none of this exposure falls on the referring physician if the referring physician does not bill for the designated health service. In the typical case involving a hospital/physician relationship, the liability exposure for improperly billed designated health services only falls on the hospital, not the referring physician. This is the source of a common misconception among physicians and even some hospital attorneys.  A physician is not subject to the primary sanction for violating the Stark law which is repayment of amounts received for improperly billed designated health services.  This has been confirmed multiple times by the Center for Medicare and Medicaid Services.  Physicians who make referrals to DHS entities are only liable if found to have participated in a circumvention scheme the physician knows or should know has a principal purpose of assuring improper referrals.  Participation in a circumvention scheme is a serious offense and can result in exclusion and the imposition of penalties.  A circumvention scheme requires proof and is not a strict liability offense resulting in the obligation to repay billings. A circumvention scheme is likely not present if a contracting physician is being compensated in excess of an appraisal obtained by the contracting hospital.  A circumvention scheme is a scheme (such as a cross-referral arrangement) the physician knows or should know has a principal purpose of assuring referrals that could not be made directly.  It does not occur just because a physician is paid a little bit over fair market value.

CMS Extends Compliance Date for New Home Health Conditions of Participation

Posted on April 4, 2017, Authored by John H. Fisher, II, Filed under Health Care

In February, we reported on revisions to the Conditions of Participation for Home Health Agencies (HHA) released by the Centers for Medicare & Medicaid Services (CMS).  CMS has now proposed the effective date of new Conditions of Participation (CoP) be delayed by six months.  The original effective date of the new regulations was July 13, 2017.  The recently proposed rule would delay the effective date of the new CoP until January 13, 2018. The new CoP revisions published in January of this year were the first major revisions made to the rules in nearly 20 years.   The new rule reflects an increased focus on a patient-centered, data-driven, outcome-oriented process that continually promotes high quality patient care at all times.  The regulations represent a move away from regulatory focus on enforcement of prescriptive health and safety standards toward improving the quality of care for all patients.  Regulatory priorities are more focused on stimulating broad-based improvements in quality of care rather than expending resources on enforcing standards against marginal providers. The new regulations purport to permit greater flexibility in how home health agencies are permitted to meet quality standards.  The new focus stresses interdisciplinary patient care and aims at creating broad-based measurable improvements in quality of care while streamlining procedural burdens that impede providers. A few areas of change include new requirements for: More continuous, integrated care process across all aspects of home health services based on a patient-centered assessment, care planning, service delivery, quality assessment, and performance improvement. Use a patient-centered, interdisciplinary approach that recognizes contributions of various skilled professionals and their interactions with each other to meet the patient’s needs. Emphasis on quality improvements by incorporating an outcome-oriented, data-driven, quality assessment and performance improvement program specific to each HHA. Eliminate the focus on administrative process requirements that lack adequate consensus or evidence they are predictive of either achieving clinically relevant outcomes for patients or preventing harmful outcomes for patients. A focus on safeguards on patient rights. The extension of the effective date for the new regulations responds to concerns voiced by industry groups that there would be difficulties meeting the required timeline for implementing new quality assessment and improvement requirements

Suggested Questions for the Compliance Officer

Posted on April 19, 2017, Authored by John H. Fisher, II, Filed under Health Care

In a previous blog post, I promised to release a list of questions a Board of Directors (Board) might ask its compliance officer.  This post is intended to fulfill that promise.  My intent is to help Board members exercise their oversight responsibility, assess the compliance officer, and further their understanding of the compliance program and risks faced by organizations. The Board should have an ongoing dialogue with compliance.  Initial questions can be turned into follow-up items at subsequent compliance sessions.  The Board’s questions will naturally evolve as their understanding of the process deepens.  The questions might change or grow more focused over time, but they should not stop.  The Board needs to continue its inquisitive process over the compliance process. Governing Body Compliance Responsibilities – Questions Board Members Might Ask of a Compliance Officer: Is anyone or anything within your organization impeding your ability to operate an effective compliance program?  For example, is management resistant of your compliance efforts? Does management completely embrace and support compliance functions? What is the scope of your responsibilities?  Do your responsibilities extend beyond your compliance obligations?  Do other obligations significantly impede the effective operation of the compliance program? Do you perceive any conflicts of interest from any other responsibilities you might have? What is involved in the compliance reporting process that permits employees and others to report compliance issues? Are your compliance efforts adequately funded?  Do you need to seek funds from other areas of the organization? Do you have sufficient staff to support your compliance efforts to the level of effectiveness appropriate for the organization? Have you been able to adequately address all compliance issues that come to your attention?  Are you able to address and resolve issues promptly? How frequently does the organization have an outside compliance effectiveness review conducted? What are the main gaps that exist in the compliance program? Do you have the ability to retain separate legal counsel to address compliance issues without having to check with management? What is needed from the Board of Directors to assure you are able to adequately operate an effective compliance program? Are you comfortable addressing compliance issues that may involve management or legal counsel? Do you maintain compliance resources such as applicable laws, rules, and regulations in a central location for easy access? How do you stay current on legal and regulatory issues that potentially impact the organization? What are the top regulatory risk areas that potentially impact the organization? Is there a process to continually identify new and emerging legal and regulatory risks? Do you regularly conduct compliance training? What training resources or expertise would be helpful for the Board to better understand the nature of its compliance oversight responsibilities? How do you know whether compliance training is effective?  How do you measure results? What issues that potentially impact the organization are focused on by applicable regulatory agencies? Is there an atmosphere within the organization that facilitates reporting of compliance concerns and assessment of perceived compliance issues.

Lessons from OCR HIPAA Settlements - Mobile Device Security Standards

Posted on May 3, 2017, Authored by John H. Fisher, II, Filed under Health Care

In the first known case involving a wireless provider, a cardiology service provider agreed to pay a $2.5 million settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  The company provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  The company disclosed to the Office of Civil Rights (OCR) that a workforce member’s laptop had been stolen from a vehicle parked outside of the employee’s home.  The laptop contained the ePHI of 1,391 individuals. The disclosure of this situation resulted in an OCR investigation that revealed the company did not maintain an adequate risk analysis and risk management process.  The investigation also revealed that HIPAA security policies were in draft form and had not been implemented.  No policies could be produced to specifically address safeguards protecting ePHI. In the press release relating to this matter, the OCR made a special point to highlight the need to adopt and implement policies to address the special risks involved with using mobile devices in the health care industry.  OCR made a rather strong comment regarding the need to address mobile devices risks stating “[f]ailure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.  This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.” Lesson 1 – Adopt and implement policies and procedures addressing security risks associated with the use of mobile devices. Lesson 2 – Make sure your policies and procedures are in final form and have been adopted and implemented as active policies. Lesson 3 – Many providers focus on HIPAA privacy policies and overlook HIPAA security standards.  Do not make this mistake.

Legal and Compliance Issues Impacting Medical Practices Using Laser Technology

Posted on April 7, 2017, Authored by John H. Fisher, II, Filed under Health Care

Medical practices that routinely use laser technology are subject to some of the same legal issues as other types of practices. Use of lasers creates additional compliance issues and highlights certain compliance risk areas. Our special coverage issue contains articles on some of the legal issues impacting these practices. • Compliance Program Operation. All medical practices should have an active compliance program effective at identifying risk areas and taking steps to ensure compliant practice. Risk areas specific to the practice should be integrated into a continuously operating compliance program. • Fraud and Abuse. Fraud penalty calculations under the False Claims Act (FCA) result in exorbitant penalties, even based on otherwise reasonable overpayment amounts. There has been  a steady flow of fraud and abuse cases involving practices using lasers, even where there is no actual knowledge of a non-complying practice. • 60-Day Repayment Rules. Federal law provides an overpayment not repaid within 60 days after discovery becoming a false claim and exposes the practice to the draconian remedies under the FCA summarized above. This requires practices to establish standard policies identifying how overpayments are handled. Mistakes made in this area can be extremely costly. • Whistleblower Risks. The recent fraud cases are being used aggressively as advertising by attorneys who focus on whistleblower cases. Whistleblower lawyers take their cases on a contingency fee basis and encourage cases be brought under the Draconian damage provisions in the federal FCA. • Supervision of Physician Extenders. Proper supervision of physician extenders is dictated by state law and reimbursement requirements (for example “incident to” rules under Medicare). Every medical practice using physician extenders should have written policies on supervision which clearly communicate requirements to physicians and staff. Documentation of appropriate supervision is also necessary. • Tele-dermatology Issues. The use of telehealth technologies is rapidly increasing. Dermatology is one specialty area that benefits from the expansion of telehealth using both real time and “store and forward” technologies. The use of telehealth in the practice of dermatology facilitates expert consultation and long distance examination reaching into remote areas. • HIPAA Stage 2 Audits. As OCR continues to move forward with its multi-stage audit program, the consequences of OCR finding a deficiency in HIPAA practices are becoming more serious. A systematic review of HIPAA policies and procedures should be conducted to ensure all required elements are covered.

Disputing Inaccurate Reports Under the Physician Payment Sunshine Act

Posted on April 6, 2017, Authored by John H. Fisher, II, Filed under Health Care

The Affordable Care Act added the Physician Payment Sunshine Act (Sunshine Act) as section 1128G to the Social Security Act. The Sunshine Act requires applicable manufacturers of drugs, devices, biologicals, or medical supplies and certain group purchasing organizations to report annually to the Centers for Medicare & Medicaid Services (CMS) certain payments or items of value that are provided to physicians and teaching hospitals.  The Sunshine Act also requires CMS to publish payments reported on a public Web site. In 2013, CMS issued final regulations interpreting and clarifying the requirements of the Sunshine Act.  The final regulations clarify the reporting process, identify exceptions and exclusions from the reporting requirements, and provide further details regarding what constitutes a reportable relationship.  The final rule delineates the specific data elements reporting organizations are required to include and the required reporting format.  Reporting organizations failing to make required reports are subject to potential civil monetary penalties. Physicians are often surprised to see the information reporting agencies submit.  Early on, errors in reporting were frequent as reporting companies struggled to integrate reporting requirements into their compliance process.  Reports tend to be more accurate now, but there are certainly instances where reporting organizations create reports that should be questioned.  A process is included to afford physicians and teaching hospitals to review and dispute the information a reporting organization proposes to report.  The regulations require physicians to exercise diligence to review information being submitted that describes items of benefit they are alleged to have received.  The regulations include a 45-day review and correction period, but report information does not automatically come to a physician unless affirmative action is taken to sign up to receive this information. If the physician or teaching hospital receive notification, a process can be used to dispute the proposed disclosure with the applicable manufacturer.  There is a very short time window to dispute and resolve the issue before publication is made for the applicable year so it is critical a dispute be invoked promptly upon receipt of notice of the proposed report.  Signing up for notifications also permits access to the web-based dispute system.  The review period lasts for 45 days and reporting organizations have 15 days after the end of this period to correct data to resolve disputes. Errors in amount, the nature of items reported, and methodology of calculating or allocating expenditures among numerous recipients are frequent areas of error.  For example, situations have occurred where expenditures that benefitted numerous physicians were allocated to a single physician.  The opportunities for error in reporting are endless; particularly given the multiple parties that can be involved in the reporting chain for the reporting company. Inaccurate reporting is not without consequence to the subject of the report.  Inaccurate reports can be indicative of conflict of interest and can impact publication or reviewer credibility.  A report can also be an indication of further potential fraudulent payments and can result in further government investigation regarding the fair market value of services provided in a consulting or other relationship.  In extreme cases, payments inflated over fair market value for services that are actually and legitimately provided can indicate potential Anti-Kickback Statute and other compliance violations which can carry significant penalties.  If a review is based on an inaccurate or inflated report, a positive resolution can likely be reached with investigators.  However, anyone who has ever been involved in a government compliance investigation understands the intangible damage the process can create. In order to avoid complication that could result from inaccurate reports, physicians and other reporting subjects should be certain to register to receive notification of proposed Physician Sunshine Act reports.  Any inaccuracies should be disputed promptly.

Medicaid Fraud Control Units Report Focus on Personal Care Services

Posted on June 27, 2017, Authored by John H. Fisher, II, Filed under Health Care

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has released a report summarizing activities of State Medicaid Fraud Control Units (MFCUs or Units) for fiscal year 2016.  The OIG is the designated Federal agency for oversight of state MFCUs.  The report found a total of 1,564 convictions of which approximately one-third involved personal care service attendants.  Personal care convictions included prosecution of personal care attendants, agency representatives, and home care aides.  The report also identified 998 civil settlements and judgments and nearly $1.9 billion in civil and criminal recoveries. Around one-fourth of the convictions related to fraudulent billings and other fraud issues.  Another quarter of the convictions involved patient abuse or neglect, including patient assault occurring in long-term care facilities.  The focus on the personal care industry is highly problematic because personal care agencies are often smaller, local businesses operating on relatively thin margins.  Personal care businesses generally involve a nurse that has supervision authority over personal care workers.  Personal care workers may be assigned to provide basic care to a small group of patients in their homes.  Sometimes the personal care worker is even a resident in the home of the patient and may be a distant relative of the patient.  Smaller organizations may not have the resources to proactively deal with compliance issues.  At the same time, there are numerous areas of compliance risk in the personal care business.  Some risk areas that might catch the attention of personal care businesses include: Personal care workers must be appropriately qualified and trained.  Verification of qualifications should be performed and documented by the agency. A registered nurse is generally responsible for assuring each personal care worker is properly training in certain core competencies.  Periodic and remedial training may be required to meet training requirements. Failure to properly document training provided to personal care workers presents risk; even if the training actually took place.  Training needs to be completely documented or reviewing agencies may deny payment or seek repayment from the provider. Personal care worker documentation must appropriately document the service provided.  The service must be within the allowable scope of service and the start and stop time of the applicable service must be accurately recorded.  Insufficient documentation is one of the most frequent grounds for investigation. The service provided by the personal care worker should match the plan of care for the specific patient. The personal care worker’s documentation must be properly maintained and must make sense in context of the specific care relationship.  Timesheets and claims must match.  Time increments claimed by an agency must be supported by documentation by the personal care worker that matches the claim. Claims must be submitted by the same personal care worker who records the time in the patient record. Avoid using timesheets where the recorded information is photocopied.  Each personal care worker visit must be considered unique and documentation must match the nature of the service provided during that visit. Timesheets must be prepared and signed by the personal care worker and should never be recreated by the agency.  Reviewers will look for evidence a worker’s signature is forged or copied. Reviewers will look for patterns in documentation that do not make sense.  For example, one or more patient records might be compared to determine whether the personal care worker documents services provided at the same time at two different locations.  An example cited in the report involves a home care aide who submitted timesheets for services rendered while the patient was in an acute-care hospital.  This made the entry patently false and subjected the care worker and agency to legal exposure.  In fact, the care worker in this case was fined and convicted to two years in state prison. There are numerous compliance “traps” that apply to personal care services.  Compliance requirements based on applicable state requirements and reimbursement rules should be identified as part of the agency’s compliance function.  Monitoring and auditing should take place in areas where most compliance risk exists.  It is highly preferable for an agency to identify areas of non-compliance through its own internal processes.  Last and not least, the agency must maintain and actively operate an effective compliance program.  Regulatory requirements are numerous and virtually all agencies discover deficiencies over time.  Maintaining an effective compliance program is the best protection against an agency being exposed to potentially devastating results of a government investigation, prosecution, or overpayment demand.

When to Use the OIG’s Self Disclosure Protocols

Posted on April 3, 2017, Authored by John H. Fisher, II, Filed under Health Care

The HHS Office of Inspector General offers providers an opportunity to self-disclose certain violations in exchange for avoiding some of the more draconian penalties that may otherwise apply under applicable regulations.  Even though the OIG’s Provider Self-Disclosure Protocols (“SDP”) can be very compelling, the decision whether to utilize the OIG’s self-disclosure protocols is often very difficult. To begin, the SDP is not available in all situations.  The SDP is limited to situations that potentially violate Federal criminal, civil, and administrative laws for which Civil Monetary Penalties are authorized.  The SDP requires the disclosing party to identify the specific legal provisions that were potentially violated and acknowledge the conduct potentially violated the identified laws.  The OIG does not use the SDP to provide opinions on whether a law was violated by the conduct described as the basis for the self-disclosure. The SDP is not available to disclose and settle Stark Law violations that do not also potentially violate the Anti-Kickback Statute.  The Center for Medicare and Medicaid Services maintains a separate process that can be used for Stark Law only issues.  The OIG protocols are generally used where there is a potential violation of the Anti-kickback Statute, overpayments that become False Claims under the 60-day repayment rule, and other cases where CMP statutes are potentially implicated. It is not always clear whether a violation of a CMP law has occurred.  Those involved in health care law are familiar with the level of ambiguity that often exists with respect to specific billing rules and other regulatory standards.  On the other hand, the potential liability for making the wrong call about whether an infraction has actually occurred can be quite significant.  This may force the provider to make use of the SDP as a risk mitigation device; even in cases where it is less than clear that a violation has occurred. Additional penalties are often present when a provider “knows or should know” that a regulation has been violated or an overpayment exists.  A decision whether a provider “should” have known about an overpayment or other infraction is often made on the margins in the context of a self-disclosure decision.  For example, failing to repay an overpayment within 60 days of gaining actual or imputed knowledge can triple the amount of penalties and add up to $22,000 per claim to the price tag.  It might be easy to determine that a provider did not have actual knowledge as of a certain date.  It is much more difficult to determine when the provider should have had knowledge through the operation of an effective compliance program.  If the date of imputed knowledge was more than 60 days before the date of disclosure, there is potential liability for increased damages; even if actual knowledge was obtained within the 60-day repayment period.  The SDP might be considered to mitigate the potentially enhanced damages that would be potentially applicable under the False Claims Act in this situation. Not every situation where there has been a billing error amounts to fraud or wrongdoing requiring use of the self-disclosure protocol.  Many overpayments that are identified through audit can be dealt with at the intermediary level.  Where investigation raises questions about whether incorrect bills are “knowingly” submitted, the self-disclosure process may provide some mitigation of potential loss.  Situations where the provider perhaps “should have known” raise more difficult issues of analysis. When errors are discovered, the provider’s best bet is to be forthright and deal with the matter “head on.”  It is never a good alternative to pretend the situation does not exist or will never be discovered or brought to light.  These cases can come to light in strange and unexpected ways.  A reasonable investigation should be conducted that leads to a reasoned decision about the nature of the violation.  The SDP is available to mitigate potential damages when investigation reveals there is potential exposure to enhanced civil monetary penalty exposure.

Antitrust Challenge to Narrow Network Products – 7th Circuit Rules in Favor of Exclusive Agreement

Posted on June 28, 2017, Authored by John H. Fisher, II, Filed under Health Care

The health care market has recently seen a resurgence in narrow network products.  To a significant degree, the resurgence of these products has been driven by the need for managed care plans looking for new avenues to help reduce the cost of care.  Traditionally, health care plans have been able to manipulate risk through exclusion of pre-existing conditions and exclusion on covered services.  Health care reform ended much of the opportunity to utilize these methods to reduce costs.  In their place many products in the market contain some sort of limitation on the provider network, either through creation of an exclusive arrangement with a system or network, or through creating more than one level of provider with preferred providers costing less in out-of-pocket expenditures to beneficiaries. Limited or narrow network products create winners and losers.  The winners are the networks who successfully negotiate a level of exclusivity in their arrangement with one or more health care plans.  The losers are the system or networks who are taken out of the market as a result of an exclusive provider arrangement or other limitation.  Network adequacy requirements tend to push exclusive arrangements toward the larger systems that are able to fulfill the entire spectrum of care.  A larger system can provide “one stop shopping” covering at least the required core elements. In some instances, exclusive dealing arrangements can be anti-competitive and can also be challenged under state and/or federal antitrust laws.  The critical issue is whether the exclusive arrangement unreasonably restricts competition in the market.  Restriction on competition is the central concept promoted by the antitrust laws.  A smaller system or provider network may challenge an exclusive arrangement as being anti-competitive.  Case law interpreting the antitrust laws in connection with narrow or limited network products is not incredibly well developed, at least as applied to the specific facts involved in the health care insurance market.  There are some cases that provide guidance on specific concepts that are applicable in the health care market, but for the most part the law in this area is still developing.  That is why a case decided by the 7th Circuit Federal Court of Appeal holds such significance. The case Methodist Health Svcs. Corp. v. OFS Healthcare System, d/b/a Saint Francis Med. Ctr., Case No. 16-3791 (7th Cir. June 9, 2017) was brought by a smaller system that had been taken out of the market by a larger system that negotiated an exclusivity provision in its contract with one of the major health insurance plans in the region. The smaller system, Methodist Health Services Corporation brought suit challenging a contract between Saint Francis Medical Center and major health care insurers in the market.  Together, Methodist and Saint Francis make up the majority of the health care market in the Peoria, Illinois area.  The suit brought by Methodist alleged that the exclusive contract created an unreasonable restraint of trade because it significantly impeded the ability of Methodist to enter private commercial insurance contracts. The exclusive contracts created two tiers of providers: in-network providers and out-of-network providers.  Beneficiaries were responsible for more out-of-pocket costs when using out-of-network providers.  Saint Francis took the restriction to yet another level by specifically prohibiting the insurers from making Methodist an in-network provider.  More than half of the commercial insurance contracts in the market were alleged by Methodist to include this type of restriction. The 7th Circuit Court of Appeals was hearing none of the arguments that Methodist made.  Instead, the Court focused on the fact that Saint Francis offered a more complete range of services that Methodist was unable to offer through an exclusive arrangement.  Additionally, the Court emphasized the short term nature of the contract between Saint Francis and applicable insurers.  The Court found that the short term nature of the contracts (most had a one year term) created very little restriction on competition.  In fact, the Court opined that the short term nature of the exclusive arrangements permitted excluded providers to negotiate each year.  This actually was seen as promoting competition in the market rather than impeding competition.  The Court left open whether longer term exclusive arrangements might create legitimate restrictions on trade.  The Court also placed a lot of weight on the ability of Saint Francis to offer a variety of services that could not be offered by Methodist or any other provider in the market. Judge Posner authored the decision and seemed to find nothing anticompetitive resulting from Saint Francis’ ability to leverage its more complete array of services.  The Court also found that Methodist was not restricted from creating a competitive array of services that are required to achieve network adequacy. The case is far from a decisive repudiation of potential antitrust claims that challenge narrow network products.  Certainly, the right facts could establish more convincing arguments that the exclusive nature of a contract restricts trade.  Every market contains different dynamics and antitrust cases tend to be factually based on the nature of competition in the market.  At the same time, the 7th Circuit Court of Appeals opinion illustrates the difficulty in bringing antitrust cases in many markets.  It will be interesting to see how various Federal court circuits apply the antitrust laws to narrow network products in other jurisdictions.  Given the dynamics in the health care market, suits in other jurisdiction are virtually inevitable.

Three Recent Fraud Cases Involving Dermatologists Illustrate Primary Compliance Risks in Dermatology Practices

Posted on April 5, 2017, Authored by John H. Fisher, II, Filed under Health Care

Three relatively recent cases involving dermatology billing practices illustrate some of the main compliance risks faced by dermatology practices.  These risk areas include: Improper use of multiple removal CPT codes; Billing for “impossibly long days”; Failure to follow supervisions rules required to permit “incident to” billing; Creating incentives for overutilization; and Performing “outlier” levels of service that cannot be justified Misdiagnosis, Overutilization, Violation of “Incident to” Billing Rules, Improper Incentives to Overutilize, Potential Practice Beyond Licensure - November 15, 2016 An allegation from a competing dermatologist resulted in a Federal government investigation of a Florida dermatologist.  The dermatologist was accused of charging the Medicare program for unnecessary biopsies and radiation treatments that were not rendered, not properly supervised, or given by unqualified physician assistants.  It was alleged the doctor was not even in the country when some of the procedures at issue were performed.  The unnecessary charges were alleged to have totaled around $49 million over a 6-year period. The dermatologist did not admit wrongdoing in the settlement.  Rather, he alleged the overbilling resulted from his unique practice that relied on radiation, instead of disfiguring surgery, to help patients.  The doctor claimed he had cured “over 45,000 non-melanoma skin cancers with radiation therapy” over a 30-year period.  The problem with that argument appears to be the fact that the dermatologist was not trained or qualified in providing radiation oncology treatments. There are a number of interesting things about this case.  The case was brought by a competing physician as a whistleblower.  The physician who brought the case expressed concern about having to treat patients that the accused doctor had misdiagnosed with squamous cell carcinoma. The case also alleged significant billing for services allegedly provided when the doctor was not even in the office.  The accused doctor alleged he was available by phone while the procedures at issue were being performed.  This raises interesting issues under the rules regarding “incident to” billing.  Those rules permit a physician to bill for physician extender services.  In order to qualify to bill a service as “incident to” a physician’s service, the billing physician must meet supervisions requirements.  The physician must be physically present within the office suite during the performance of the procedure in order to qualify to bill a service as “incident to” the physician’s services. It appears there were a number of things going on in this case. There appears to have been a pattern of diagnosing a higher level of severity than was supported by the patient’s condition. There was a routine use of radiation therapy, even in cases that were not medically appropriate.  This placed patients at potential risk. There appears to have been questions whether the accused doctor was authorized to perform radiation therapy. There were issues regarding improper use of the “incident to” billing rules when the doctor was not present to actively supervise the service. There was also some evidence the doctor had offered incentives for staff to misdiagnose and over utilize the radiation treatment. There was an alleged kickback arrangement with another physician who operated a clinical laboratory. Criminal Conviction of Dermatologist Excessive Use of Multiple Removal Codes - 2015 A Chicago area dermatologist was convicted of committing Medicare fraud by submitting false claims for more than 800 patients that led to payment of reimbursement of approximately $2.6 million.  The doctor was accused of falsely diagnosing patients and submitting bills without proper documentation of the necessary condition.  Most of the claims appear to have involved diagnosis of actinic keratosis, or sun-induced skin lesions that have potential to become cancerous.   The doctor was found guilty of criminal charges arising from this matter in 2015. The dermatologist was alleged to have falsely documented hundreds of cases of medically unnecessary cosmetic treatments he reported as involving the removal of lesions (CPT 17004).  According to court records, the physician billed under the CPT code applicable to the removal of 15 or more lesions on a more or less routine basis.  These treatments were allegedly performed on hundreds of repeat patients over a number of years.  Many of the patients received this treatment on 10 or more visits.  Medicare reimbursed this treatment by paying up to $352.40 per treatment.  When these numbers are summarized, it becomes difficult to deny that abuse was going on in this case.  Evidence presented suggested the dermatologist falsely claimed to have removed more than 150 pre-cancerous lesions from approximately 350 Medicare patients, more than 450 patients covered by Blue Cross and Blue Shield, and additional patients covered by Aetna and Humana health insurance. This case appears to have been a relatively clear case of actual fraud rather than failure to properly document the nature of the service.  Even though the case represents an extreme situation, it still holds some lessons for providers who are not attempting to commit fraud.  A few lessons that can be extracted from this case include: Care should be taken when using multiple removal codes such as 17004.  These types of codes should not be used systematically.  Over time, the removal numbers add up to indicate potential fraud.  The record should be accurately and completely documented to support use of multiple removal codes. Care should be taken not to bill codes relating to time increments or work units that, in the aggregate, result in an unrealistic amount of time in a given day.  Granted, some providers are more efficient than others, but at some point multiple procedure time units become excessive and can be statistically sampled to determine whether the individual doctor is within a standard range of services. Failure to Supervise and Impossibly Long Days Payment of $302,000 and Forced Corporate Integrity Agreement – July 2016 The government alleged the dermatologist in this case repeatedly billed for services under the “incident to” billing rules during periods when the dermatologist was not present in the office.  Some of the services were allegedly performed when the doctor was traveling out of the country.  The government also alleged the doctor billed for impossibly long days including one day where 26 hours were billed. This case illustrates the need to comply with the “incident to” billing rules.  Those rules permit a physician extender’s services be billed under the physician in certain circumstances.  In order to qualify to bill incident to, the physician must be physically present within the office suite at the time the extender performs the service.  The physician cannot order the procedure and then leave the office while the procedure is being performed.  There are new Medicare rules clarifying some aspects of the “incident to” billing rules.  There was a previous ambiguity that some providers interpreted as permitting the physician that ordered the service to bill for the services, even though another physician actually supervised the performance of the service.  The rules revision clarified only the supervising physician can bill the services as “incident to” his or her service.  The ordering physician can only bill the service if he or she also supervises the extender.

Repayment and Self Disclosure of Known Overpayments

Posted on May 3, 2017, Authored by John H. Fisher, II, Filed under Health Care

Timeframes for Making Repayment to the Government The 60-day repayment rule adopted as part of the Affordable Care Act is a very strong arrow in the quiver of federal enforcement agencies.  Under the 60-day rule a known overpayment can become a False Claim if it is not repaid or if a self-disclosure is not filed within 60 days after identification.  Until final rules were promulgated in early 2016, it was not clear when a provider would be deemed to have “identified” an overpayment.  Prior to the final regulations, it was not clear whether the 60-day time period started as soon as a situation was brought to light that could possibly create an overpayment.  A strict view of the 60-day rule put a lot of pressure on providers to rapidly investigate situations that could lead to overpayments.  In many cases, it was very difficult to reasonably investigate and take action within such a short time frame. The 2016 regulations gave providers a bit of relief.  The regulations clarify that an overpayment is not “identified” when the basic information comes in that could possibly result in an overpayment determination.  Instead, providers are expected to use reasonable diligence to investigate situations that could result in an overpayment.  Reasonable diligence requires a timely, good faith investigation of credible information.  In comments to the final regulations, the Office of Inspector General (OIG) states that reasonable diligence requires an investigation to be conducted within a maximum timeframe of six months from receipt of the credible information that an overpayment might exist.   Absent extraordinary circumstances, identified potential issues must be investigated to conclusion within six months.  At the expiration of the six-month period, the 60-day disclosure period commences.  This provides a total of eight months from initial identification until the time repayment or self-disclosure is due. OIG acknowledges there might be extraordinary circumstances affecting the provider, supplier, or their community that may make it reasonable to take more than six months to investigate. What constitutes extraordinary circumstances is a fact-specific question.  Extraordinary circumstances may include unusually complex investigations the provider or supplier reasonably anticipate will require more than six months to investigate.  The OIG mentions natural disasters and states of emergency as providing reasonable justification for extending the investigation period.  Use of these circumstances as an example highlights the need to use all efforts necessary to complete the investigation as quickly as possible and to use the six-month standard as the outside target date.

Can Overpayments Create Criminal Liability?

Posted on April 11, 2017, Authored by John H. Fisher, II, Filed under Health Care

We hear a lot about potential liability under the False Claims Act (FCA) for the failure to repay overpayments within 60 days of discovery. Focus on the 60-day rule has taken focus away from the potential for criminal charges for retaining known overpayments.  Section 1128B(a)(3) of the Social Security Act (42 U.S.C. § 1320a-7b(a)(3)) makes it a crime to conceal or fail to disclose any occurrence that affects the initial or continued right to any benefit payment.  A violation of the statutes requires showing the charged individual has knowledge of the event affecting the right to the applicable benefit.  A violation of the statute is a felony and is punishable by a maximum of five years in prison and a fine of $250,000 for individuals or $500,000 for corporations. The Office of Inspector General has applied this statute, even in cases where the overpayment occurs innocently but a party fails to repay a known overpayment.  This type of situation is clearly subject to the FCA where repayment is not made within 60 days.  Criminal responsibility is also a potential particularly when a decision is made not to repay after learning about the existence of an overpayment.  Criminal exposure is present for the entity as well as the individuals who are responsible for failing to make repayment of a known overpayment.  There is an element of ambiguity regarding application of the criminal component, but this has not stopped prosecutors from asserting the statute in the past. The Federal Criminal False Claims Statute (18 U.S.C. § 287) can also apply to impose potential criminal liability.  This statute applies potential criminal liability on any person who “makes or presents” any claim to an agency of the U.S. Government “knowing such claim to be false, fictitious, or fraudulent.”  This statute can lead to a potential 5 year imprisonment plus potential criminal penalties.  Conspiracies to violate the Federal Criminal Claims Statute impose double penalties on participants.  Failing to disclose and repay known overpayments could form the basis of a violation of this statute as well. Other criminal statutes could potentially apply to the failure to repay known overpayments.  Mention of these above statutes is not intended to be an exhaustive list of potential exposure. Self-disclosure is a strong consideration whenever overpayments are discovered.  The self-disclosure programs offered by the OIG and Centers for Medicare & Medicaid Services can greatly reduce exposure when a provider discovers overpayments.  In advance of using either protocol, an internal investigation should be conducted to determine exactly what occurred.  This will help identify the nature and extent of exposure and will also help develop the case for disclosure.  Federal investigation standards as described in the Yates Memo will often guide the investigation process and should be considered when structuring the investigation process.  The Yates Memo requires an investigation to consider potential individual wrongdoing.  Failure to investigate and disclose potential individual wrongdoing can have a negative impact on governmental cooperation. It is very possible an issue that is the subject of a potential self-disclosure is relatively new to the compliance department.  This does not necessarily mean the issue is new to others within the organization.  Something that looks like a simple overpayment may have been intentionally overlooked by an individual in the management chain, billing department, or provider staff.  This potential makes the investigation much more difficult than it might originally appear.  Federal standards now require the investigator to look for individuals who may have had earlier knowledge of an impropriety.  Failure to identify individual wrongdoing increases risk to the organization and can result in the failure of the Federal government to cooperate in the settlement of a case.

Exercising Reasonable Care to Identify and Address Potential Overpayments

Posted on April 5, 2017, Authored by John H. Fisher, II, Filed under Health Care

When the Center for Medicare and Medicaid Services (CMS) finally issued final regulations under the 60-day repayment rule, it implemented a new standard requiring a provider to affirmatively exercise reasonable diligence to identify potential overpayments.  This was a change from the proposed regulations that held providers to a much lower affirmative duty to exercise diligence to find potential overpayments.  When a provider receives “credible information” that indicates a potential overpayment, affirmative steps must be taken in a timely and good faith manner to investigate.  Failure to meet the standard of reasonable diligence can result in significant penalties under the False Claims Act (FCA).  In some cases criminal liability can attach as well; particularly when evidence strongly indicates a problem might exist and a deliberate decision is made not to investigate or repay an amount due. By now most health care providers are at least generally aware of the 60-day repayment rule.  That rule originated as part of the Affordable Care Act in 2010.  The rule provides that the failure to repay a known overpayment within 60 days after discovery results in potential penalties under the FCA.  This means a simple overpayment is multiplied by a factor of three.  Additionally, penalties can be assessed in amounts ranging from a minimum of $11,000 and a maximum of approximately $22,000 per claim.  Financial exposure under the FCA can be very substantial; particularly when there is a systematic billing error that impacts a large number of claims over a significant period of time.  The lookback period for imputed False Claims is 6 years, which amplifies the potential exposure when the “tip of the iceberg” is discovered in a current year audit. The initial statutory provision left some ambiguity regarding application of the 60-day repayment rule.  One significant ambiguity relates to when the 60-day time period begins to run.  The statute states the 60-day period commences upon “identification” of the overpayment but included no clarification of when a provider is deemed to have identified the existence of an overpayment.  It was not clear whether identification occurred when there was an allegation that an overpayment exists, when an amount of overpayment was calculated, when the existence of the overpayment was verified, or at some other time.  It was also unclear whether actual knowledge of an overpayment was required or whether knowledge could be imputed in certain circumstances. CMS provided clarification on the issue of identification in the final regulations, but the clarification places significant burdens on providers.  Under the final rules, the provider is deemed to have identified an overpayment not when actual knowledge is obtained, but rather when the provider “should have” identified the overpayment through the exercise of “reasonable diligence.”  The new standard requires providers to conduct a timely and good faith investigation when it receives credible information an overpayment might exist.  Failing to take reasonable steps to investigate will result in imputed knowledge and deemed “identification” of the overpayment.  In other words, the 60-day clock starts to run when the investigation should have commenced. It is useful at this point to mention what constitutes an overpayment that invokes the statutory requirement.  An overpayment exists when the provider receives any funds to which they are not entitled.  There is no requirement of an amount threshold, substantiality, or materiality.  Any overpayment invokes the statute and becomes a potential false claim if not repaid within the 60-day period.  There are situations where the amount of overpayment is so small that the provider might determine it not worth the resources to identify, quantify and repay.  When making this determination, it should be kept in mind the FCA will apply if a whistleblower case is brought or a government investigation is commenced and finds the overpayment.  FCA liability can result in large penalties; particularly where there are multiple claims involved.  It should also be kept in mind that criminal statutes impose felony penalties for the willful failure to return known overpayments. Overpayments that are self-discovered and repaid before they become false claims are relatively easy to manage.  Once the FCA potentially attaches, these situations become increasingly complicated to manage.  The OIG Self Disclosure process should be considered where potential for significant penalties is present.  The Self Disclosure Protocols permit resolution at a minimum of 1.5 times the amount of the overpayment.  Full disclosure of the facts and investigation is required as part of the self-disclosure process.  Only civil penalties are subject to settlement under the protocol.  The wrong facts disclosed as part of the SDP process can lead to criminal charges against the entity or individuals.  Criminal charges cannot be settled using the SDP. Where amounts are smaller, a provider may decide to repay without going through the protocol process.  A determination of which option is right in the specific situation should be made with the involvement of legal counsel that has experience with these issues. Proper operation of a compliance program is the best defense to mitigating exposure under the 60-day rule.  Prompt investigation should be conducted whenever there is a credible allegation of an overpayment.  Compliance risk identification and proactive auditing can also help mitigate risk by identifying problems early and by demonstrating the compliance process is being effectively operated.  This will help avoid allegations that overpayments should have been discovered sooner through the exercise of a reasonable compliance program.  Most importantly, ignoring alleged overpayments is never an answer that mitigates risk.  All credible allegations must be investigated and appropriate repayment should be made using one of the available methods.  The requirements of the final rule should be baked into compliance program policies and procedures and staff should be educated on the need to investigate and return overpayments within required timeframes.

Compliance Budgeting – Put Your Money Where Your Mouth is

Posted on March 31, 2017, Authored by John H. Fisher, II, Filed under Health Care

You have adopted your basic compliance policies and procedures, established a reporting system and visibly rolled out your new compliance program.  Your board of directors has passed a resolution decisively stating its commitment to compliance.  The CEO issued a letter stating her commitment to compliance and mandating every person in the organization follow the Code of Conduct and perform their activities in a compliant manner.  You may have even integrated compliance training into your initial hire and periodic training programs. On effectiveness review, the reviewer sits down with your management team.  At some point during the meeting the reviewer goes through a list of critical compliance items; policies and procedures (check); training program (check); reporting system (check); compliance budget … compliance budget? It turns out you put a great deal of effort into establishing and operating a compliance program but have never established a separate budget line for compliance.  An adequate compliance budget is a significant indicator of an effective compliance program.  Without a separate budget line item, you would need to reverse engineer to determine how much you have spent on compliance.  You talked the talk, but did not walk the walk.  In compliance, it is important to put your money where your mouth is.  But enough of the clichés. All external compliance standards require your program to be “effective.”  It is difficult to imagine a program meeting effectiveness standards if no financial resources are put behind it.  Having evidence of compliance expenditures at your fingertips can save a lot of effort when it’s time to defend the effectiveness of your compliance program.  Establishing a compliance budget requires focus on what is required to operate your compliance program.  An adequate budget indicates organizational commitment and reinforces support from the top of the organization.  It also reinforces independence of the compliance officer who otherwise is required to beg for resources from other budget areas. Compliance budgeting is difficult.  The return on investment on revenues allocated to compliance is not always evident to corporate decision makers.  After all, how do you prove or quantify costs that might be avoided through the operation of a compliance program?  Those of us who deal with compliance difficulties fully understand the value of investment in compliance structure and operation.  Companies that go through a compliance issue, particularly one that could have been avoided by a properly funded compliance program also tend to gain an understanding of the value of compliance. This does not mean compliance should be immune from expectations of efficiency.  It also does not mean an organization needs to allocate an unrealistic level of funds to compliance.  Compliance efforts and resulting expenditures can be scaled to the size, nature, and complexity of the business.  Issues related to scaling of compliance are perhaps the most difficult aspect of the compliance practice.  In smaller organizations, resources should be focused on areas of greatest vulnerability.  It is also critical to establish a system to identify and rank identified risk areas.  This information can be used to establish a work plan that sets compliance priorities based on a reasonable assessment of potential risk.  Compliance activities objectively determined not to create higher degrees of risk can be scheduled into the future.  If an issue that arises is judged as a lower risk area, the work planning process demonstrates the issue was part of the process but not the highest priority or the area of greatest vulnerability. Don’t ignore the need to plan compliance activities and budget based on prioritized risk.  A logical and adequate budget established using a well thought out process is the key.  A budget based on specifically identified and prioritized risk areas will be easier to communicate to business minded individuals on your board.  It is much easier to see the potential return on investment when the compliance officer presents a well-supported work plan based on specific identified risk areas.

Exercising Board Oversight of the Compliance Function

Posted on April 19, 2017, Authored by John H. Fisher, II, Filed under Health Care

How the Board can Enhance Compliance Effectiveness The Board of Directors (Board) of an organization has oversight responsibilities over the compliance program.  Board members are often unsure of the nature and scope of their responsibilities over compliance.  The roll of many Boards is limited to receiving occasional updates from the compliance officer.  Compliance is then checked off the “to-do” list and the Board moves on to other issues until their next compliance update. The way compliance has evolved over the years, makes it necessary for corporate boards to take more active responsibility for their compliance oversight function.  Board members should be inquisitive about compliance and should not assume the compliance officer is performing all tasks required in an effective compliance program.  Like any other class of employee, there are some compliance officers who perform effectively and others who will let things slide if they are not held accountable by the Board. Best practice is for the compliance officer to have a direct line of responsibility to the Board.  Reporting to other executives inherently diminishes the independence of the compliance officer and potentially impedes the performance of compliance activities.  Compliance office independence is good for the program; at least if the compliance officer is adequately performing the compliance role.  Where there is independence, the Board is really the only place the compliance officer’s activities are assessed.  Matching compliance independence with Board apathy over compliance creates a perfect storm for the compliance program to be operated ineffectively.  This underlines the need of Board members to be inquisitive and press the compliance officer.  Asking the compliance officer pointed questions is one technique that can enhance the Board’s understanding of its role while it assesses the effectiveness of the compliance officer. Board members should be attentive to agenda items that involve compliance.  If regular agenda items do not exist, Board members should ensure they are included in the future.  A compliance program is not effective unless the compliance officer regularly reports to the Board.  When compliance issues are on the agenda, Board members should come prepared with questions to ask the compliance officer.  This process will help the Board better understand issues the specific organization faces.  It will also help the Board adequately and effectively conduct its oversight responsibilities and will result in a more effective compliance process. As a follow up to this Article, I will be posting a list of questions Board members may wish to ask the compliance officer.  The questions should be tailored to the nature of the business and level of understanding Board members have regarding their oversight role.

« Previous 123 Next »