Top Four Compliance Risks Companies Face with Recent Health Care Legislation

May 7, 2013

by Peter Katzwith Denise Pedulla

The health care landscape changed dramatically with the passage and upholding by the Supreme Court of the Patient Protection and Affordable Care Act (“PPACA”), as well as the Health Information Technology for Economic and Clinical Health (“HITECH”) Act revisions to the Health Insurance Portability and Accountability (“HIPAA”) Act.  Areas that pose significant new compliance risks include:

• Mandatory disclosures of payments made to physicians and teaching hospitals under PPACA’s Physician Payment Sunshine provisions;
• Enhanced fraud and enforcement provisions;
• Mandatory compliance programs; and
• HITECH amendments to HIPAA expanded protections for patients and increased civil monetary penalties for HIPAA privacy and security breaches.

These recent legislative changes, as well as the respective compliance risks they pose for companies, are discussed below.

Physician Payment Sunshine Provisions

On February 1, 2013, the Centers for Medicare and Medicaid Services (“CMS”) issued its final rule to the provisions under PPACA requiring manufacturers of drugs, devices, biologics, and medical supplies covered by Medicare, Medicaid, or the Children’s Health Insurance Program (“CHIP”) to report payments or other transfers of value made to physicians and teaching hospitals.  The final rule also requires manufacturers and group purchasing organizations (“GPOs”) to disclose to CMS physician ownership or investment interests.

Key dates to note under the final rule are:

• August 1, 2013 – the date data collection must begin for applicable manufacturers and GPOs;
• March 31, 2014 – the date on which applicable manufactures and GPOs must report to CMS the data for the period August 1, 2013 through December 31, 2013; and
• September 30, 2014 – the date that CMS will publish the data on a public website.

Non-compliance with the disclosure requirements under the Sunshine final rule include financial penalties ranging from $1,000 to $10,000 for each payment or transfer of value not reported, and $10,000 to $100,000 for “knowingly” failing to report a payment or transfer of value.

 Enhanced Fraud and Abuse Enforcement

PPACA introduced significant changes to existing anti-fraud law in the areas of civil and criminal enforcement:

For example, the federal Anti-kickback statute (“AKS”) and Health Care Fraud statute (18 U.S.C. § 1347) no longer require an individual be aware that he or she is violating the statute’s specific provisions.  All that must be proven is the intent to engage in the conduct and knowledge that the actions were unlawful.  Consequently, the risk of liability under these criminal statutes is heightened.

PPACA also amended the AKS to explicitly provide that a violation of the AKS now constitutes a false and fraudulent claim under the False Claims Act (“FCA”).  Previously, the government (or relator) had to demonstrate that the kickback was specifically related to the submission of a false claim.

In addition, PPACA allows whistleblowers to file claims even if they are not the original source of all the information they provide, narrowing the “public disclosure” definition, and allowing qui tam actions that are based upon previous state filings or private lawsuits.  As a result of these legislative changes, one might expect that whistleblower lawsuits will increase.

PPACA also required that health care providers report and return any overpayment within 60 days of “identification” of the overpayment.  Failure to disclose and return the overpayment is now considered a “reverse false claim,” and subjects the violator to FCA liability.  As the term “identification” has yet to be defined, compliance with this new provision under PPACA poses a significant challenge for health care providers and companies.

Other changes under PPACA include:

• Addition of billions of dollars to the federal budget over 10 years to cover fraud and abuse detection and prosecution programs;
• Expansion of recovery audit contractor (“RAC”) coverage to Medicaid and Medicare Parts C and D;
• Expansion of the U.S. Department of Health and Human Services Office of Inspector General’s (“HHS-OIG”) authority to suspend payments to providers during the investigation of a “credible allegation of fraud;” and
• Amending the U.S. Federal Sentencing Guidelines’ loss calculations to specifically include the total value of all claims, not just the amount paid.

Mandatory Compliance Programs

One of the little-known but critical provisions of PPACA is Section 6401(a) (7) which mandates that all health care providers enrolled in Medicare and Medicaid establish a compliance program that contains core elements relevant to that provider, supplier, industry and category.  To date, HHS-OIG has only specified that these core elements be implemented by nursing homes and has not yet issued implementing regulations.  However, it is anticipated that the implementing regulations will mirror prior compliance program guidances previously issued by HHS-OIG.  These guidances, among other things, recommend that the following elements be included in a compliance program to ensure its effectiveness:

• High level oversight (including a compliance officer and committee, preferably directly reporting to the CEO or Board);
• Written compliance policies and procedures, including a code of conduct;
• A system for communication of suspected compliance violations, including confidentiality, anonymity and promise of non-retaliation;
• Formal training and education programs that are general as well as focused (e.g., high-risk areas);
•  Timely investigation and remediation of suspected violations;
•  Consistently applied enforcement policies;
• Auditing and monitoring programs designed to evidence effectiveness of compliance and identify potential risk areas; and
•  Ongoing assessment process designed to identify and mitigate risks.

Health care providers and companies which have yet to implement compliance programs should anticipate incorporating these core elements as the foundation for their compliance programs in order to meet the specific compliance guidance that is anticipated to be published by CMS and HHS-OIG.

HITECH Amendment to HIPAA

 On January 17, 2013, the final rule addressing the HITECH revisions to HIPAA was published and became effective on March 26, 2013.  The final rule expands the requirements for safeguarding patient protected health information (“PHI”), increases patients’ rights with respect to PHI, and includes increased liability provisions for covered entities and business associates.  The final rule also increases the civil monetary penalties for HIPAA privacy and security rule violations.  As a result of these amendments, it may be expected, among other things, there will be increased HIPAA audits conducted by the Office of Civil Rights, which is charged with enforcing compliance with the HIPAA privacy and security requirements by covered entities and their business associates.

In light of these recent legislative changes, the need for effective corporate compliance programs has never been more critical.  Health care providers and companies should conduct risk assessments and review their existing compliance policies and procedures, training programs and internal controls to address the new reporting requirements and government enforcement priorities under PPACA, as well as the enhanced PHI protections under the HITECH amendments to HIPAA, in order to minimize liability risk.  Such compliance enhancements should be a priority for all health care providers, companies and their respective compliance teams in order to ensure compliance program effectiveness in preventing and detecting violations of these new health care laws.

Berkeley Research Group, LLC is not a CPA firm and does not provide audit, attest, or public accounting services. BRG is not a law firm and does not provide legal advice.

_________________________________________

Ms. Denise Pedulla is a Principal of Berkeley Research Group’s Boston, Massachusetts office and a member of the BRG – Health Analytics and Corporate Compliance and Regulatory Risk Management Practices.  Prior to joining BRG, Ms. Pedulla served as Senior Vice President and Chief Compliance Officer at Orthofix International NV, an international orthopedic medical device company, where she was responsible for developing and managing Orthofix’s domestic and international corporate compliance and ethics program and assisting the company in successfully resolving several federal health care investigations related to legacy business practices.  Prior to Orthofix, Ms. Pedulla served as Vice President of Compliance, Regulatory and Government Affairs and Associate General Counsel for Fresenius Medical Care North America.

An attorney, Ms. Pedulla has more than 24 years of experience in health care regulatory compliance.  She has extensive expertise in corporate compliance and has developed all aspects of compliance and ethics programs from their inception for hospitals, medical centers, physician group practices, durable medical equipment suppliers and medical device companies.  Ms. Pedulla is certified in health care compliance by the Health Care Compliance Association and holds a Bachelor of Science in Nursing from Boston College, a Juris Doctorate from Suffolk University and a Masters of Public Health in Health Policy and Management from Harvard University.  Ms. Pedulla is a current member of the Health Care Compliance Association, the Health Law Sections of the American, Massachusetts and Florida Bar Associations and the American Health Lawyers Association. dpedulla@brg-expert.com

 

About the Author
Peter Katz joined Berkeley Research Group after a 17-year career as a state and federal prosecutor and litigator in four of the nation’s most respected prosecutorial offices. He brings to BRG a unique perspective to investigations, data collection, and forensic analysis. At BRG, Mr. Katz focuses on governmental and internal investigations in health care and all financial-related matters. He also lends his expertise to assist healthcare, life sciences and medical device entities in establishing, reviewing and modifying their regulatory compliance programs. He also acts as a Monitor and as a member of an Independent Review Organization. Mr. Katz has prosecuted thousands of cases, bringing over 50 to trial, many involving intricate data analysis and expert testimony. In eight years working for Robert Morgenthau at the Manhattan District Attorney’s Office, Mr. Katz led some of the most difficult and complex cases in the office specialized in criminal investigations, negotiation and trial advocacy. He developed his investigative and analytical skills during the nine years he spent as an Assistant U.S. Attorney in the United States Attorney’s Offices in the Eastern District of New York, District of New Jersey and the Fraud Section at Main Justice. He has led numerous complex white collar investigations, including the last successful prosecution stemming from the demise of Enron. Most recently, he has focused on health care fraud allegations as a member of the Department of Justice’s highly acclaimed Health Care Fraud Prevention and Enforcement Action Team (HEAT). To that end, Mr. Katz was in charge of a team of investigators, analysts, and fellow prosecutors in identifying, investigating and prosecuting fraud within Medicare. He was personally responsible for investigations involving overbilling, medical necessity, unbundling and double billing in a myriad of industries, including home health, skilled nursing facilities, physical therapy, dialysis, proctology, workers’ comp, infusion, among others. Drawing on his background in all areas of investigation, prosecution, and trial, Mr. Katz provides a unique perspective on the coordination between counsel, client, and expert. He works closely with other BRG experts in seeing that BRG’s work in its investigations is complementary to counsel’s and is based on the full set of known facts, while taking into account all relevant facets of the investigation. At BRG, he focuses on governmental and internal investigations in health care and all financial-related matters. In addition to his law degree, Mr. Katz is Certified in Health Care Compliance by the Health Care Compliance Association and teaches Healthcare Fraud and Abuse as an Adjunct Professor at Rutgers Law School. pkatz@brg-expert.com

http://www.corporatecomplianceinsights.com/top-four-compliance-risks-companies-face-with-recent-health-care-legislation/?goback=%2Egde_1931142_member_241691135