-->

False Claims Act Penalties Have Almost Doubled Over the Last Year

June 20, 2017 by  
Filed under False Claims Act

(June 21, 2017):  The federal False Claims Act is the primary civil enforcement tool used by the U.S. Department of Justice to fight fraud committed against government programs by individuals and entities.  Often referred to as “Lincoln’s Law,” the statute was first enacted in 1863, in the midst of the Civil War, to combat the wrongful conduct of government contractors.  Under the whistleblower provisions of the False Claims Act, an individual (also known as a “relator”) with knowledge of a fraud against the government, can essentially step into the shoes of the government and file a case, under seal, on behalf of the government, in the name of, the United States.  After a False Claims Act case is filed, if the government elects to intervene in the case and a recovery is made, the relator may be eligible to receive between 15% and 30% of the monies.  If the government decides not to intervene in the case and the relator moves forward, if a recovery is made, the relator can collect up to 30% of the monies.

I.  Recoveries Under the False Claims Act in 2016 Were Substantial:

Most of the False Claims Act cases brought against health care providers are filed by whistleblowers. As set out in a December 2016 DOJ Press Release, during Fiscal Year 2016 the federal government obtained more than $4.7 billion in False Claims Act settlements and judgments. Of this total, $2.5 billion came from individuals and entities in the health care industry.

II.  Penalties Under the False Claims Act Will Vary By When a False Claim Was Made:

Violations of the False Claims Act can occur in a variety of ways.[1] Simply stated, if you “knowingly”[2] present or cause to be presented, a false claim to the government for payment, you may be liable for both penalties and treble damage.  An individual or entity found to have violated the False Claims Act may be liable for both civil penalties and treble damages. Under the 1986 amendments to the False Claims Act the range of civil penalties for violations of the False Claims Act from $5,000 to $10,000.  Since that time, a number of additional adjustments have been made:

  • For false claims or statement made after October 23, 1996, but before August 1, 2016, the minimum penalty which may be assessed under 31 U.S.C. 3729 is $5,500 and the maximum penalty is $11,000, per false claim or statement.

  • For false claims or statements made on or after August 1, 2016, but before February 3, 2017, the minimum penalty which may be assessed under 31 U.S.C. 3729 is $10,781 and the maximum penalty is $21,563, per false claim or statement. 81 Fed. Reg. 26127, 26129 (May 2, 2016).

  • For false claims or statements made on or after February 3, 2017, the minimum penalty which may be assessed under 31 U.S.C. 3729 is $10,957 and the maximum penalty is $21,916, per false claim or statement. 82 Fed. Reg. 9131, 9133 (February 3, 2017).

As the above adjustments reflect, since August 1, 2016, the amount of penalties that may be assessed under the False Claims Act has nearly doubled.

III. Statute of Limitations to Bring a Claim Under the False Claims Act:

As set out under 31 U.S.C. 3731(b)(1) and (2), a civil action under 31 U.S.C. 3730 may not be brought more than more than 6 years after the date on which the false claim violation occurred, OR more than 3 years after the date when facts material to the right of action are known or reasonably should have been known by the official of the United States charged with responsibility to act in the circumstances.  However, in no event can a civil action be brought more than 10 years after the date on which the violation is committed.  From a practical standpoint, this means that a defendant may be held liable for false claims knowing submitted to the government over as much as a 10 year period.

IV.  Conclusion:

As outlined above, the potential penalties that may now be assessed for each violation of the False Claims Act add up quickly.  Coupled with the fact that the government may be able to seek penalties and damages for up to 10 years of wrongful billing could easily mean the financial demise of your health care company.   It is therefore essential that you take appropriate steps to reduce your level of risk.  The development and implementation of an effective Compliance Program will be a key component of your risk reduction strategy.

Liles Parker Attorneys Have Extensive Experience Handling False Claims Act Cases.Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at the health law firm, Liles Parker, Attorneys & Counselors at Law.  A number of our attorneys have served as Assistant U.S. Attorneys and in management positions at the Department of Justice.  Our attorneys understand the False Claims Act and can represent you in False Claims Act matters and cases. If you have questions regarding the False Claims Act, give us a call.  For a free consultation, call Robert W. Liles.  He may be reached at:  (202) 298-8750.

[1] Effective for false claims made on or after February 3, 2017, under 31 U.S.C. 3929(a)(1), any person who:

(A) Knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval;

(B) Knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim;

(C) Conspires to commit a violation of subparagraph (A), (B), (D), (E), (F), or (G);

(D) Has possession, custody, or control of property or money used, or to be used, by the Government and knowingly delivers, or causes to be delivered, less than all of that money or property;

(E) Is authorized to make or deliver a document certifying receipt of property used, or to be used, by the Government and, intending to defraud the Government, makes or delivers the receipt without completely knowing that the information on the receipt is true;

(F) Knowingly buys, or receives as a pledge of an obligation or debt, public property from an officer or employee of the Government, or a member of the Armed Forces, who lawfully may not sell or pledge property; or

(G) Knowingly makes, uses, or causes to be made or used, a false record or statement material to an obligation to pay or transmit money or property to the Government, or knowingly conceals or knowingly and improperly avoids or decreases an obligation to pay or transmit money or property to the Government;

Is liable to the United States government for a civil penalty of not less than $10,957 and not more than $21,916, plus 3 times the amount of damages which the government sustains because of the act of that person.

[2] Under 31 U.S.C. 3729(b), the terms “knowing” and “knowingly” mean that a person, with respect to information:

(i) Has actual knowledge of the information;

(ii) Acts in deliberate ignorance of the truth or falsity of the information; or

(iii) Acts in reckless disregard of the truth or falsity of the information; an

Importantly, the government does not have to show proof of specific intent to defraud in order for a violation of the False Claims Act to be found.

 

Download PDF

False Claims Act: Whistleblower Cases Have Continued to Rise Since the Passage of the Affordable Care Act

March 6, 2015 by  
Filed under False Claims Act, Featured

Whistleblower

Number of whistleblowers on the rise

(March 3, 2015): The federal False Claims Act (FCA), 31 U.S.C. §§ 3729 – 3733 is the primary civil enforcement tool utilized by the U.S. Department of Justice (DOJ). Enacted in 1863, this Civil War era statute was passed by Congress in an effort to address the fraudulent acts of government contractors providing goods and services to the Union Army. While originally passed to serve deter government military contracting fraud, the scope and use of the statute has greatly expanded over the last 150 years.

           Today, the federal False Claims Act statute is most frequently utilized by the government (and by whistleblowers bringing False Claims Act cases on behalf of the federal government) in connection with allegations of health care fraud by individuals and entities participating in Medicare, Medicaid and other federal health care benefits programs. The purpose of this article is to examine the impact, if any, of the passage of the Patient Protection and Affordable Care Act (Affordable Care Act) on the number of health care “qui tam” (also commonly referred to as “whistleblower”) cases that have been filed under the federal False Claims Act

I.  Impact on the False Claims Act – Passage of the Affordable Care Act:

           On March 23, 2010, President Obama signed the Affordable Care Act into law. While the primary purpose of the 906 page legislation was to make health care insurance accessible and affordable for millions of uninsured Americans, the law also introduced a number of fundamental changes to the False Claims Act. Several of these important changes are outlined below:

  • The Affordable Care Act Amended the Definition of Two Key Terms Under the False Claims Act.

          Under the Affordable Care Act, the definition of the term “public disclosure” (as utilized under the False Claims Act) was amended to abolish the public disclosure bar. The definition of “public disclosure” was further revised to permit a qui tam relator to bring a whistleblower action that is based on allegations that have been previously disclosed in government or private litigation (as long as the relator meets the statutes “original source” requirements.

           Prior to the passage of the Affordable Care Act, if a qui tam relator sought to bring an action based on public disclosures, the relator was required to qualify as an “original source” and have “direct and independent knowledge” of the facts alleged to constitute violations of the False Claims Act and have provided that information to the government prior to filing suit.   Under the Affordable Care Act, a qui tam relator is now only required to have “knowledge that is independent of and materially adds to the publicly disclosed allegations . . .”  As you can imagine, this change makes it significantly easier for an individual to meet the False Claims Act’s original source requirements.

Ultimately, the changes implemented under the Affordable Care Act to the False Claims Act’s public disclosure bar and the original source doctrine have made it easier for a relator to file a case involving public disclosure issues

  • The Affordable Care Act Defines Improperly Held Overpayments as an “Obligation,” Within the Meaning of the False Claims Act.

           Under the Affordable Care Act, a health care provider’s liability under the False Claims Act was significantly broadened to cover identified “overpayments” that were improperly retained for more than 60 days. More specifically, 42 U.S.C. 1320a-7k(d) was revised to define “overpayments” as “Medicare funds received or retained to which a person is not entitled, after applicable reconciliation.” Overpayments must be reported and returned to the government (typically a Medicare Administrative Contractor) within 60 days of identification. Should a health care provider fail to return an overpayment within the statutorily required period, the overpayment then qualifies as an “obligation,” thereby subjecting the provider to liability under the False Claims Act.

  • The Affordable Care Act Makes it Clear that a Violation of the Federal Anti-Kickback Statute May Also Constitute a Violation of the False Claims Act.

      As set out in §6402(f)(1) of the Affordable Care Act, any claims constituting a violation of the federal Anti-Kickback Statute (42 U.S.C. §1320a-7b(b)) qualify as “claims” for purposes of the False Claims Act (31 U.S.C. §§ 3729 et seq.). In addition to this fundamental change, the Affordable Care Act also arguably lowers the scienter and intent standards required for a violation of the Anti-Kickback Statute. As §6402(f)(2) of the Affordable Care Act provides, in order for an individual or entity to commit a violation of the federal health care Anti-Kickback Statute “a person need not have actual knowledge of this section or specific intent to commit a violation of this section.”

II.  The Number of Health Care Qui Tam Cases has Set New Records Since the Passage of the Affordable Care Act:

           Collectively, the changes set out above make it much easier for both a relator and the government to bring a False Claims Act case against a health care provider or supplier. Notably, the number of new health care qui tam cases filed in 2010 (the Affordable Care Act was signed into law on March 23, 2010) rose to 385, a new high at that point in time. In FY 2013, the number of health care qui tam cases reached an all-time of 501 cases. While there was a slight drop (to 469 cases) in the number of health care qui tam cases filed in FY 2014, all indications are that FY 2015 may again challenge the record of cases filed in FY 2013.

III. Overview of the False Claims Act’s Qui Tam Provisions:

           One of the most unique elements of the False Claims Act is that it authorizes private parties having direct knowledge of fraudulent conduct to bring a civil suit (on behalf of the government) against an individual or entity that has violated the statute. These civil suits are known as “qui tam” actions, and the private parties who initiate such actions are called “relators”. Qualified relators may share in any monies recovered as a result of their qui tam action.[1]

            A qui tam action is initiated when a relator files a Complaint – along with supporting documentation – “under seal” in federal court. When a case is filed under seal, it means that all records associated with the whistleblower are maintained on a non-public docket by the Clerk of the Court. A copy of the complaint is given to the judge assigned to the case. The relator’s attorney also serves a copy of the complaint on the Attorney General in Washington, D.C. and on the U.S. Attorney in the federal judicial district in which the case has been filed.[2] By statute, the government is initially given 60 days to evaluate whether to “intervene” in the qui tam case that has been brought against the defendant. In almost all cases, the government will seek an extension to allow it an opportunity to further investigate the allegations. After showing “good cause” for an extension, most federal courts readily grant the government’s request for an extension. It is not at all uncommon for a qui tam to remain under seal for over a year (and often much longer) while the government reviews the allegations. The seal is important for several reasons:

  • The government can quietly investigate the allegations without the defendant knowing that their company is under investigation.
  • The mere existence of a government investigation can be devastating on the public’s view of a company. Moreover, if a company is publicly-traded, the publicity surrounding a government investigation can severely affect the price of a company’s stock—despite the fact that the allegations at issue have not been investigated or proven at this point in the process.

            After concluding its evaluation, the government may elect to proceed with the complaint and intervene in the case or it may decline to intervene. If the government decides to intervene in the action, then the relator has the right to remain a party to the action. If the government decides not to intervene in the case, the qui tam relator may elect to proceed on his or her own against the defendant. Notably, the government always retains the ability to intervene in the case at a later time. From a practical standpoint, if the government decides not to intervene in a case, in all likelihood the relator will seek to dismiss the suit. Unlike the government, a relator’s ability to investigate a False Claims Act case is quite limited, both in terms of resources and in terms of investigative tools. As a result, the government’s decision to decline to intervene severely impacts a relator’s ability to move forward with the case.

IV.  What Can You Do to Reduce the Likelihood of a False Claims Act Case:

           In light of the changes to the Affordable Care Act outlined above, it is imperative that health care providers and suppliers comply with all applicable medical necessity, documentation, coding and billing regulations. An effective Compliance Program can serve as an invaluable tool and can greatly assist providers and suppliers in their efforts to stay within the four corners of the law. As Supreme Court Justice Oliver Wendell Holmes wrote:

“Men must turn square corners when they deal with the Government.”[3]

           Effectively, Justice Holmes’ comment serves as a continuing caution for individuals and entities who participate in government programs. Unfortunately, it isn’t always that easy for a health care provider or supplier to determine whether an overpayment exists, especially in complex cases where a patient has secondary insurance and/or the number of claims processed (as charges, credits, and corrections) may be quite large. Additionally, due to the complexity of Medicare coverage and payment rules, two reasonable individuals may disagree as to whether an overpayment is present. Despite the fact that two reasonable minds may disagree on whether an overpayment exists, the fact remains that a health care provider or supplier is ultimately responsible for repaying any overpayments due to the government. In order to avoid potential False Claims Act liability, it is imperative that you fully research any outstanding issues and determine the scope of any overpayment to be reported and repaid to the government.

V.  Conclusion:

           An effective compliance plan can assist in the identification and proper handling of overpayments, thereby reducing the provider’s risk of committing a violation of the False Claims Act. Health care providers and suppliers should review their current Compliance Plan to better ensure that internal audit and review mechanisms are in place so that any overpayments can be readily identified and repaid to the government within the 60-day deadline. The decision of whether to disclose and return an overpayment, whether to a MAC, the Department of Health and Human Services – Office of inspector General (HHS-OIG), or to the Department of Justice (DOJ), may differ depending on the facts. Depending on the size or complexity of an overpayment, a health care provider may need to contact legal counsel for advice on how to best handle a specific overpayment. Due to the 60-day deadline, if legal counsel is to be involved, they should be contacted as soon as possible.

 

Robert Liles represents health care providers in RAC and ZPIC appeals.Robert W. Liles serves as Managing Partner at Liles Parker. Robert has worked in health care administration since 1984 and previously served as “National Health Care Fraud Coordinator” for Executive Office of U.S. Attorneys, Department of Justice. Robert has extensive experience working on False Claims Act matters and cases. For a free consultation on your case, you may call Robert at: 1 (800) 475-1906.

[1] Relators can receive between 15% and 25% of any recovery in a qui tam action where the government has intervened in the case. In a non-intervened case, a relator may recover up to 30%. Consequently, there is a tremendous financial incentive to file and pursue these types of actions.

[2] The relator must also serve a “disclosure statement” on DOJ (normally, it is provided to the U.S. Attorney’s Office) which sets out the evidence that the relator has in support of the allegations set out in his/her Complaint. This statement is not filed with the Complaint.

[3] Rock I., Ark. & La. R.R. v. United States. 254 U.S. 141. 143 (1920). As Supreme Court Justice Felix Frankfurter commented, this statement “does not reflect a callous outlook. It merely expresses the duty of all courts to observe the conditions defined by Congress for charging the public treasury ” Federal Crop Ins. Corp. v. Merrill, 332 U.S. 380, 385 (1947).

Download PDF

Dental Fraud Settlement — $5.05 Million to be Paid by Oklahoma Dental Practice in Medicaid Case.

Dental Fraud Investigations are Increasing Around the Country.

 (November 10, 2014):  Dental fraud investigations and audits are becoming increasingly prevalent throughout the United States.  An Oklahoma-based dental practice has recently agreed to pay $5.05 million in civil claims stemming from allegations that the practice committed Medicaid dental fraud, submitting false claims to Medicaid from January 2005 through September 2010. The Oklahoma practice provides dental care to Medicaid-eligible children through multiple clinics located in a number of states. Each dentist draft visit notes that outlines the services performed on each individual patient. The practice then submits claims for reimbursement to the Oklahoma Health Care Authority (OHCA) based on dentists’ documentation. After OHCA reimburses the practice for those claims, the dentists are then reimbursed a certain percentage.

I.  Dental Practice Submits Claims For Work Never Performed or Coded at Higher Levels:

According to a practice spokesperson, the allegations arose with respect to a dentist who last worked at a dental office in September 2010. Specifically, this dentist has been accused of submitting treatments notes for services that were never performed, which is a clear example of Medicaid dental fraud.  Notably, this individual has already been sentenced to 18 months in Federal prison for fraud in a separate matter. She was released earlier this year but must still pay more than $375,000 in restitution.

II.  Effect of the Dental Fraud Settlement Agreement:

This settlement agreement resolves allegations that the dental practice violated the Federal and State False Claims Acts by submitting false Medicaid claims for dental restorations that were never performed or were billed at a higher rate than allowed. The agreement also releases the practice and its owner from any civil liability in the underlying case. Nevertheless, the practice must still adhere to additional record-keeping, reporting, and compliance requirements.

Settlement agreements such as this have become a useful tool in False Claims Act cases. They allow the government and individual parties to avoid the expense and uncertainty involved in actually litigating a case. Moreover, as seen in this case, prosecuting authorities do not generally make any concessions about the legitimacy of the alleged Medicaid dental fraud.

III.  Conclusion:

Identifying and combating fraud in both the federal Medicare and joint State/Federal Medicaid program has been a high priority for government health care enforcement agencies. Effective enforcement measures help ensure that instance Medicare and Medicaid dental fraud are identified, ensuring that the dollars are provided to care for individuals who truly need assistance.

We continually strive to protect government programs, such as Medicaid, from fraud and abuse by ensuring they are used properly and only by those who are in need and are eligible,” U.S. Attorney Sanford C. Coats said. “This case is a good example of the value of coordination between state and federal law enforcement, as well as the coordinated use of parallel proceedings, to achieve a successful civil and criminal resolution.”

Dental practices can help avoid allegations of fraud, waste, and abuse through the development, implementation and adherence to an effective compliance program. A compliance program can go a long way towards enabling a dental practice to identify potential improper or fraudulent practices before they occur. It is a strategic and vital tool that will assist you in following recognized best practices in the dental industry. Have you implemented a compliance program for your dental practice? If not, you may be placing your organization at significant risk. Give us a call today at and we would be more than happy to assist you in developing an effective compliance program for your dental practice.

Saltaformaggio, RobertRobert Saltaformaggio, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent dental practices around the country in connection with Medicaid audits by federal and state agencies and CMS-engaged specialty contractors.  The firm also represents dental providers in connection with HIPAA Omnibus Rule risk assessments, privacy breach matters, State Dental Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906

Download PDF

OCR to Covered Entities, Business Associates: Encryption Is Your Best Defense against HIPAA Violations

(May 29, 2014)  On April 22, 2014, the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) announced that it had entered into resolution agreements with two entities for $1,725,220 and $250,000, respectively, to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The main take away from these settlements? Covered entities and business associates could best protect themselves against future violations through encryption procedures.

I.     HIPAA and HITECH Impose Duty to Safeguard Privacy and Security of Patient PHI

Under the Health Insurance Portability and Accountability Act of 1996[1] (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act[2], covered entities[3] and business associates[4] must safeguard the privacy and security of their patients’ Protected Health Information (PHI). PHI includes any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.[5]

Additionally, in January 2013, HIPAA was updated via the Final Omnibus Rule. These updates not only greatly enhanced a patient’s privacy rights and protections, but it also strengthened the ability of HHS-OCR to vigorously enforce the HIPAA privacy and security protections. For example, covered entities and business associates must review and modify security measures as needed to ensure the continued provision of “reasonable and appropriate” protection of EPHI.[6] Moreover, the impermissible use or disclosure of PHI (i.e. in violation of the HIPAA Privacy Rule) is now presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been comprised.[7]

However, while employees of covered entities and business associates regularly use laptops, tablets or other mobile devices to access, store and transmit electronic PHI (EPHI), many of these entities have not implemented effective requisite safeguards to protect this sensitive information. These devices, many of which remain unencrypted, leave EPHI vulnerable to unauthorized access and disclosure. Under these circumstances, a “breach”[8]  has occurred and must be reported.  Furthermore, there are significant civil monetary penalties for security breaches.

II.     Stolen Laptops Lead to HIPAA Settlements

Unauthorized breaches regularly occur in situations when electronic devices are lost or stolen.  In fact, stolen laptops with unencrypted EPHI have resulted in many recent settlement agreements with HHS-OCR. Just last month, two covered entities agreed to collectively pay HHS-OCR almost $2 million to resolve potential violations of the HIPAA Privacy and Security Rules.

Following the first covered entity’s submission of a breach report indicating that a laptop had been stolen from one of its facilities, HHS-OCR initiated a compliance review. HHS-OCR concluded that the covered entity recognized that lack of encryption of electronic devices posed a security risk to patient data. However, it “failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.”

As to the other covered entity, HHS-OCR found that it “did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306 from the compliance date of the Security Rule.”

As part of the resolution agreements with HHS-OCR, both covered entities entered into a corrective action plan where it agreed to provide OCR with an updated risk assessment management plan, updates on the encryption status of its devices and equipment, and proof that they had completed security awareness training of their staff.

III.     Conclusion

A review of both settlement agreements reveals some interesting findings. Notably, both agreements reflect some degree of compliance with the Security Rule prior to the imposition of a monetary settlement. While covered entities and their business associates should review these settlement agreements; it is important to understand that partial compliance with HIPAA and HITECH is NOT SUFFICIENT. If you are found to be in violation of the Rules, civil monetary fines will be levied on you.

Covered entities and business associates should ensure that they are in FULL COMPLIANCE with the requirements of HIPAA.  You must takes steps to immediately conduct a full Security Rule risk assessment and mitigate any identified risks to patient PHI. Do you need help conducting a risk assessment or instituting a full compliance program? We would be more than happy to assist you. Give us a call today.

Remember: if you and your staff are using laptops to access, store and transmit ePHI, OCR has given you the appropriate guidance to safeguard your patients – and YOU: “[…] encryption is your best defense against these incidents.”


[1] Pub.L. 104–191, 110 Stat. 1936.

[2] Enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5

[3] “Covered entities” generally include health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. 45 C.F.R. 160.103.

[4] See 45 CFR Sections 160.102 and 160.103.

[5] 45 C.F.R. 164.501.

[6] 45 C.F.R. 164.306(c).

[7] 45 CFR §§ 164.400-414.

[8] See 45 CFR §§ 164.402.

Saltaformaggio, RobertRobert Saltaformaggio, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by RACs, ZPICs and other CMS-engaged specialty contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906.

 

Download PDF

Covered Entities and Business Associates Beware! HHS OCR Announces Latest Survey in Preparation for New HIPAA Audits

RACs and ZPICs are Conducting Prepayment Audits

(March 26, 2014) Last month, the Department of Health and Human Services Office for Civil Rights (HHS OCR) announced that it will survey up to 1200 organizations as part of its plan to prepare for the latest round of HIPAA audits. More importantly, covered entities and business associates should be asking themselves – has your organization fully complied with the HIPAA Privacy, Security, and Breach Notification Rules?

I.            HIPAA Omnibus Final Rule

In January 2013, HHS enacted a new rule to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)[1].  According to HHS, the HIPAA Final Omnibus Rule “greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”  The rule would afford patients increased protection and control of their personal health information.

The Final Rule expanded HIPAA’s Privacy and Security Rules beyond covered entities (i.e., health care providers, health plans and other entities that process health insurance claims) to also include business associates of these entities that receive protected health information (PHI). It also increased penalties for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. Furthermore, the changes strengthened the Health Information Technology for Economic and Clinical Health (HITECH)[2] Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

II.            HIPAA Pilot Audit Program

Notably, HITECH requires HHS to perform periodic audits of covered entities and business associates in order to analyze their compliance with the HIPAA Privacy, Security, and Breach Notification Rules. HHS relies on its OCR to enforce these rules and assess whether covered entities and business associates are compliant.

In 2011, HHS OCR established a pilot audit program to assess the controls, processes, and policies that covered entities had implemented to protect the privacy of PHI. Under this pilot audit program, OCR developed an audit protocol that would measure the efforts of 115 covered entities. Notably, every type of covered entity was eligible for an audit. As part of its ongoing commitment to protect patient health information, OCR also instituted a formal evaluation of the effectiveness of the pilot audit program.

In April 2013, OCR released its findings from the HIPAA audit pilot program. OCR found that most of the evaluated entities – which included health plans of all types, health care clearinghouses, and individual and organizational providers – did not conform to the three audit areas: the HIPAA standards for security, privacy, and breach notification. 

OCR also determined that most of the covered entities (two thirds of the entities audited) failed to perform a comprehensive, accurate security risk assessment. Remarkably, OCR found that the most common cause of non-compliance was that the entity was “unaware of the requirement”. 

As to the privacy requirements, covered entities were most “unaware” of the notice of privacy practices for PHI, access of individuals to PHI, minimum necessary, and authorizations.  The security requirements that covered entities were most “unaware” of related to risk analysis, media movement and disposal, and audit controls and monitoring. 

OCR also found that “level 4 entities” – i.e.,  small providers (10 to 50 provider practices, community or rural pharmacies), entities with little to no use of health information technology, or providers with revenues less than $50 million –  were generally vulnerable and non-compliant in all three-audit areas. In fact, healthcare providers that fell into this category accounted for 65% of all policy violations.

III.            HHS OCR Announces Next Round of HIPAA Audits

In a February 2014 notice in the Federal Register, HHS OCR announced that it would survey up to 800 covered entities and 400 business associates to gather information as part of the first step in selecting organizations for the next round of HIPAA audits. Specifically, the survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit.” OCR intends to collect information that includes “recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.”

This latest survey may point to a revitalization of the HHS OCR HIPAA Audit Program, which has not been active since the conclusion of the pilot audit program in December 2012. It will provide another opportunity for HHS OCR to examine different mechanisms for compliance with HIPAA/HITECH, identify best practices, and discover new risks and vulnerabilities.

What can providers – as well as business associates – expect in the next round of HIPAA audits?  Providers should anticipate that HHS OCR will focus more specifically on many of the problem issues identified in the pilot audit program – timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training, and policies and procedures.

IV.            Conclusion

It is imperative that all covered entities and their business associates affirmatively review their practices to help ensure that they are fully compliant with all of the requirements demanded by the HIPAA Privacy, Security, and Breach Notification Rules.  With the latest survey set to preclude an additional round of HIPAA audits, HHS OCR may be signaling a renewal or stronger push by its audit program.  So what should you do to prepare?

Ultimately, each and every covered entity and business associate needs to develop, implement and adhere to an effective Compliance Plan.  In doing so, you can better ensure that your continuing obligation to fully comply with applicable statutory and regulatory requirements are being met.  Need help setting up your Compliance Plan?  Give us a call.


[1] Pub. L. 104-191, 110 Stat. 1936.

[2] Enacted under Title  XIII of fthe American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5).

Robert W. Liles is a health care attorney experienced in handling prepayment reviews and audits.Robert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by RACs, ZPICs and other CMS-engaged specialty contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906.

Download PDF

A Recent False Claims Act Case Being Brought Against an Individual Physician has Resulted in a Record Recovery for the Government.

False Claims Act cases against physicians and other solo providers are increasing.(February 12, 2013):  The civil False Claims Act is the primary civil enforcement tool used by the U.S. Department of Justice.  As discussed below, the False Claims Act is an extraordinarily useful statute for government prosecutors, both in terms of ease of use and in terms of the damages which may be recovered by the government.

I.   Overview of the False Claims Act:

As set out below, the civil False Claims Act imposes civil monetary penalties and will expose a person to civil liability under the circumstances below:

Sec. 3729.  False claims 

(a) Liability for Certain Acts—any person who: 

(1) Knowingly presents, or causes to be presented, to an officer or employee of the United States Government or a member of the Armed Forces of the United States a false or fraudulent claim for payment or approval; 

(2) Knowingly makes, uses, or causes to be made or used, a false record or statement to get a false or fraudulent claim paid or approved by the Government; 

(3) Conspires to defraud the Government by getting a false or fraudulent claim allowed or paid; 

(4) Has possession, custody, or control of property or money used, or to be used, by the Government and, intending to defraud the Government or willfully to conceal the property, delivers, or causes to be delivered, less property than the amount for which the person receives a certificate or receipt; 

(5)  Authorized to make or deliver a document certifying receipt of property used, or to be used, by the Government and, intending to defraud the Government, makes or delivers the receipt without completely knowing that the information on the receipt is true; 

(6) Knowingly buys, or receives as a pledge of an obligation or debt, public property from an officer or employee of the Government, or a member of the Armed Forces, who lawfully may not sell or pledge the property; or 

(7) Knowingly makes, uses, or causes to be made or used, a false record or statement to conceal, avoid, or decrease an obligation to pay or transmit money or property to the Government, 

. . . is liable to the United States Government…  

II.    What is Not Covered Under the False Claims Act:

            It is essential to keep in mind that the civil False Claims Act does not cover mistakes, accidents, or mere negligence.  Unfortunately, the line separating a billing “mistake” from a non-intentional wrongful billing, which could give rise to an action under the False Claims Act, is not always easy to discern.  In an effort to provide additional guidance to DOJ attorneys on the judicial use of the False Claims Act, guidance setting out a number of factors to be considered when pursuing a False Claims Act case.

III.   Damages Under the Civil False Claims Act:

            A “person” (which would covers individuals, physician practices, home health agencies, hospice agencies, third-party billing companies, ambulance companies, hospitals, skilled nursing facilities and other health care providers)   found to have violated this statute is liable for civil penalties in an amount between $5,500 and not more than $11,000 per false claim, as well as up to three times the amount of damages sustained by the government.

IV.   What is the Involvement of the U.S. Department of Justice?

            While attorneys in DOJ’s Civil Division in Washington, D.C. are likely to be involved in most of the larger, more complex cases under the False Claims Act, it is important to remember that a “Civil Health Care Fraud Coordinator” has been appointed in each of the 94 U.S. Attorney’s Offices around the country. Assistant U.S. Attorneys are highly trained and experienced in handling False Claims Act cases and will readily file a case against a health care provider in the event that improper conduct can be shown.

V.  Whistleblower or “Qui Tam” Provisions of the False Claims Act:

          One of the most unique elements of the False Claims Act is that it authorizes private parties having direct knowledge of fraudulent conduct to bring a civil suit against the violator on behalf of the government.  These civil suits are known as qui tam actions, and the private parties who initiate such actions are called “relators.”  Relators may share in any monies recovered as a result of their qui tam action.[1]

            A qui tam action is initiated when a relator files a complaint – along with supporting documentation – “under seal” in federal court.  When a case is filed under seal, it means that all records associated with the whistleblower are maintained on a non-public docket by the Clerk of the Court.  A copy of the complaint is given to the judge assigned to the case.  The relator’s attorney also serves a copy of the complaint on the Attorney General in Washington, D.C. and on the U.S. Attorney in the federal judicial district in which the case was filed.[2]  Initially, the government will have 60 days to evaluate whether to proceed against the defendant.  In almost all cases, the government will seek an extension to allow it an opportunity to investigate the allegations.  After showing “good cause” for an extension, most federal courts will readily grant the request for an extension.  It is not at all uncommon for a qui tam to remain under seal for over a year (and often much longer) while the government reviews the allegations.  The seal is important for several reasons:

  • The government can quietly investigate the allegations without the defendant knowing that their company is under investigation.
  • The mere existence of a government investigation can be devastating on the public’s view of a company.  Moreover, if a company is publicly-traded, the publicity surrounding a government investigation can severely affect the price of a company’s stock—despite the fact that the allegations at issue have not been investigated or proven at this point in the process. 

After concluding its evaluation, the government may elect to proceed with the complaint and intervene in the case or it may decline to intervene.  If the government decides to intervene in the action, then the relator has the right to remain a party to the action.  If the government decides not to intervene in the case, the qui tam relator may elect to proceed on his or her own against the defendant.  Notably, the government always retains the ability to intervene in the case at a later time.  From a practical standpoint, if the government decides not to intervene in a case, in all likelihood the relator will seek to dismiss the suit.  Unlike the government, the relator’s ability to investigate a False Claims Act case is quite limited, both in terms of resources and in terms of investigative tools.  As a result, the government’s decision to decline to intervene severely impacts a relator’s ability to move forward with the case.

            The government often asks the court to partially lift the seal solely for the purpose of advising the defendant of the existence of the case and to seek their cooperation in resolving the allegations.

             Should the government choose not, to intervene, it will often ask that the Court remove the seal to the case.  Once the seal is removed, the case (and its allegations) will be part of the public record.  In cases where the government chooses to intervene, the case is often kept under seal until a settlement is worked out with the defendant.

            There are a number of limitations placed on the filing of qui tam cases.  Two of the more commonly seen limitations include:

  • When the government has already initiated an action against a party for the same allegations that would form the basis of a qui tam suit; or

  • When the action is based on publicly-disclosed information[3] that was contained in an official hearing, report, investigation, audit, or information disseminated by the news media. 

VI.  Record Recoveries in 2012 Under the False Claims Act:

            In recent years, False Claims Act recoveries resulting from whistleblower suits have exceeded most observers’ expectations.  Issues related to the False Claims Act should be at the top of the list of ongoing concerns for most health care Compliance Officers.  The potential damages a provider may face for violations of the False Claims Act cannot be understated.

             In Fiscal Year 2012, the U.S. Department of Justice secured settlements and judgments in civil False Claims Act of $4.9 billion.  Notably, this includes a “record recovery for a single year” by more than $1.7 billion.  Over the last four years, $13.3 billion has been recoveries.  Notably, this represents more than a third of the total recoveries achieved since the False Claims Act was amended over 26 years ago.[4]

VII.  Are Physicians Being Targeted Under the False Claims Act:

         While large pharmaceutical, durable medical equipment and hospital chain cases continue to dominate the press, physicians, dentists and other solo health care providers are increasingly finding themselves and their practices subject to whistleblower suits under the False Claims Act by former employees, competitors and others who believe that false claims are being submitted to the government for payment.

          Notably, a recent whistleblower case pursued by the U.S. Department of Justice against an individual physician (a dermatologist) resulted in a $26.1 million settlement.  In this case, the physician was alleged to have accepted kickbacks from a pathology laboratory.  The physician was also accused of billing Medicare for medically unnecessary services. The whistleblower reportedly collected $4 million as part of the settlement.

VIII.  How Can You Prevent a False Claim Act from Being Filed Against You?

         Ultimately, your ability to avoid the filing of a False Claims Act case against you or your practice rests on your ability to comply with state and federal laws, regulations and rules governing the provision, coding and billing of health care services. Without a doubt, the single most important step you can take in this regard is to develop, implement and adhere to the provisions and guidelines set out in an effective Compliance Plan.  While most hospitals and other institutional providers have had Compliance Plans in place for many years, very few physicians have taken this necessary preventative step.

          Will a Compliance Plan prevent you from having a False Claims Act case brought against you or your practice?  No, not necessarily.  Instead, you should look at a Compliance Plan as being akin to a flu shot.  Just because you have received a flu shot does not mean that you will never catch the flu.  However, if you do come down with the flu, chances are that it won’t be as serious and it might otherwise have.  All of us make mistakes, and physicians are not immune to this risk.  Nevertheless, having an effective Compliance Plan in place is likely to greatly assist you in your efforts to stay within the four corners of the law.

Robert W. Liles is a health care attorney experienced in handling prepayment reviews and audits.Robert W. Liles serves as Managing Partner at Liles Parker.  Robert and other attorneys at Liles Parker have extensive experience working on False Claims Act matters and case.  For a free consultation, please call Robert at:  1 (800) 475-1906.   

 


[1] Whistleblowers (also known as “Relators”) can receive between 15% and 25% of any recovery in a qui tam action where the government has intervened in the case.  In a non-intervened case, a relator may recover up to 30%.  Consequently, there is a tremendous financial incentive to file and pursue these types of actions.

[2] The relator must also serve a “disclosure statement” on DOJ (normally, it is provided to the U.S. Attorney’s Office) which sets out the evidence that the relator has in support of the allegations set out in his/her Complaint.  This statement is not filed with the Complaint and is not given to the defendant.

[3] This rule is known as the “public disclosure bar.” The Affordable Care Act modifies this rule in several respects.  First, a qui tam action will not be dismissed under the public disclosure rule if the government opposes dismissal.  Second, fraud disclosed in private legal actions will not activate the public disclosure bar; the government must have been a party to the action in order for the public disclosure rule to apply.  Third, information obtained from state proceedings or hearings likewise will not qualify under the public disclosure bar.  Finally, the public disclosure bar will not operate where the relator was the “original source” (e.g., has independent knowledge) of the fraud or false claim allegation.

[4] http://www.justice.gov/opa/pr/2012/December/12-ag-1439.html

 

Download PDF