Jane Hyatt Thorpe and Teresa Cascio

Background

The Patient Protection and Affordable Care Act of 2010, as amended by the Health Care and Education Reconciliation Act of 2010 (collectively referred to as the ACA)^[1]; arms the federal government with significant new and enhanced tools to identify and pursue financial recovery for fraudulent, wasteful, and abusive healthcare practices. The cost of implementing other programmatic provisions of the ACA, such as coverage for the uninsured and increased fraud and abuse enforcement activities, will be paid for, in part, by monies recovered from prosecution of healthcare fraud and savings achieved from deterring fraudulent practices. Furthermore, reducing fraudulent and abusive practices is directly linked to the transformation of the health care system to a value-based system that rewards high-quality and efficient care delivery at lower cost. As the $4.1 billion recovered by the federal government in 2011 from fraud and abuse enforcement indicates, healthcare organizations, including providers (practitioners, hospitals, nursing homes), health plans, manufacturers (medical device, pharmaceutical), and suppliers (e.g., durable medical equipments companies), should expect continued aggressive enforcement in the coming years.^[2] The ACA heralds a new era of compliance in healthcare that will require these organizations to monitor their operations, implement robust compliance programs, report publicly a vast array of information about their business arrangements, and face significant penalties for violations.

Changes made by the Affordable Care Act, Public Law No. 111-148, §§ 1313, 6001, 6002, 6003, 6004, 6102, 6401, 6402, 6408, 6409, 6703, 7102, 10104, 10606

• False Claims Act (FCA). The FCA prohibits submission of fraudulent claims to the federal government, including for reimbursement from the Medicare program.
• Public Disclosure Bar. The ACA limits the scope of the public disclosure bar which prohibited FCA claims based on publicly available information by defining “publicly disclosed information” as only inclusive of information contained within federal reports and by granting the government the option to waive application of the public disclosure bar to claims based on publicly known information. Additionally, the ACA expands the scope of the original source rule by allowing a FCA whistleblower to pursue a claim if they have knowledge that adds materially to information already contained in government reports.^[3]
• Overpayments. Failure to return and report overpayments from a federal healthcare program within sixty days of identifying the overpayment now constitute a false claim and will result in penalties under the FCA.^[4]
• Health Benefit Exchanges. Payments made to state health insurance Exchanges once they are operational in 2014 with federal funds are subject to the FCA.^[5]
• Investigations. The ACA grants the Department of Health and Human Services Office of Inspector General (OIG) new authority to access information for healthcare fraud investigations from providers and suppliers as well as other organizations that provide, supply, or order medical services or supplies that are payable by a federal healthcare program even if the program does not pay. The ACA expressly authorizes the OIG to access patient medical records during such investigations.^[6]
• Anti-Kickback Statute. The ACA establishes that all violations of the federal healthcare program Anti-Kickback Statute “constitute a false or fraudulent claim” under the FCA.^[7]
• Anti-Kickback Statute (AKS). The AKS prohibits any organization or individual from giving, receiving, or soliciting remuneration in exchange for referrals of health care services or supplies paid for by the federal government.
• The ACA removes the specific intent requirement of the AKS so that a violation may arise regardless of whether an individual has actual knowledge of the AKS or specific intent to violate the statute.^[8]
• Physician Self-Referral (Stark) Law. The Stark Law prohibits physicians from referring patients for health care services paid by Medicare or Medicaid to a health care entity in which they have a financial (ownership or compensation) interest.
• Whole Hospital Exception. The ACA eliminates the Stark Law’s “whole hospital exception” that had allowed referrals, in limited circumstances, to hospitals owned by the referring physician (e.g., Specialty Hospitals).^[9]
• Self-Referral Disclosure. CMS, on behalf of the Secretary of HHS, has established a self-referral disclosure protocol (“SRDP”) for providers to report actual or potential violations of the Stark Law as required by the ACA. The ACA also gives the Secretary authority to reduce the penalties for self-reported violations.^[10]
• Ancillary Services Exception. Physicians may generally provide ancillary services (e.g., diagnostic testing, lab services) to their patients without violating the self-referral prohibition. However, the ACA now requires physicians to give their patients a written list of additional area suppliers before providing certain imaging services (e.g., magnetic resonance imaging, computer tomography, and positron emission tomography) services so that patients may make a fully informed decision.^[11]
• Compliance Programs and Requirements.
• Mandatory Provider Compliance Programs. All providers or suppliers participating in Medicare, Medicaid, or CHIP must establish a compliance program as a condition of their participation. The HHS Secretary is authorized to establish the “core elements” of the program as well as implementation timelines specific to “particular industry[ies] and category[ies].”^[12]
• Skilled Nursing Facility and Nursing Facility Compliance and Ethics Programs. All skilled nursing and nursing facilities must establish compliance and ethics programs for the purpose of detecting and preventing violations of the Social Security Act and promoting quality care. The HHS Secretary has authority to reduce penalties for self-reported violations.^[13]
• Provider Screening. The Secretary must establish regulations for screening providers of Medicare, Medicaid, and CHIP services.^[14]
• Pharmaceutical Manufacturer Compliance.
• The Secretary must establish additional requirements for compliance programs of pharmaceutical manufacturers and covered entities in order to prevent overcharging and improper discounting of medications. These requirements will permit the Secretary to review pricing information and establish civil monetary penalties for violations.^[15]
• Drug Sample Reporting. Pharmaceutical manufacturers and distributors must submit annual reports to the Secretary that contain the amount and type of drug samples requested in the preceding year, the name and address of the provider that requests the drug samples, and other information as specified by the Secretary.^[16]
• 340B Program Integrity. The Secretary must make various improvements to improve both manufacturer and covered entity compliance with 340B requirements, including creation of a system to verify ceiling price calculation, development of procedures for refunding manufacturer overcharges, creation of a system for reporting rebates and discounts to the Secretary and ensuring that covered entities receive “appropriate credits and refunds,” and imposition of sanctions.^[17]
• Transparency Reporting. “Covered drug, device, biological, or medical supply” manufacturers that pay or transfer any items of value to physicians or hospitals must report such payments or transfers to CMS on an annual basis beginning on March 31, 2013. The reports must identify whether the physician or hospital has an ownership interest in the manufacturer and explain the reason for making the payment or transfer.^[18]
• Federally Funded Long-Term Care Facilities. All long-term care facilities that receive at least $10,000 dollars must report any “reasonable suspicion” of crime against a facility resident to the Secretary and a minimum of one law enforcement agency. Failure to comply will subject the violator to a maximum civil monetary penalty of $300,000 and possible disqualification from federal health care programs.^[19]
• Penalties
• Fraud Sentencing Guidelines. The United States Sentencing Commission must, after consultation with interested stakeholders, amend the fraud sentencing guidelines so that the guidelines accurately reflect the seriousness of the crimes, provide mechanisms for mitigation, and are consistent with other federal sentencing guidelines.^[20]
• Intent. The ACA removes the specific intent requirement under the general health care fraud statute (18 U.S.C. 1347) which applies to any health care benefit program (public and private) so that an individual may now be held liable even if they acted without actual knowledge or specific intent.^[21]
• Medicare Advantage and Part D plans. The HHS Secretary may impose civil monetary penalties (CMPs) on Medicare Advantage and Part D plans that enroll individuals without their consent, transfer individuals without their consent in order to earn a commission, violate marketing restrictions, or employ or contract with an individual or entity that engages in prohibited conduct.^[22]
• Suspended Payments. The Secretary may suspend Medicare and Medicaid payments to providers or suppliers while investigating “credible allegations of fraud.”^[23]
• Program Exclusion. The Secretary may prohibit individuals and entities from participating in federal healthcare programs if such individuals and entities knowingly make false statements or misrepresentations while applying, bidding, or contracting with federal healthcare programs to provide services or supplies.^[24]
• Enhanced Penalties. Individuals or entities that knowingly make false statements in relation to false claims or unreasonably delay audits or investigations by the Inspector General may be subject to a penalty of $50,000 per false statement or $15,000 per day that the Inspector General is delayed.^[25]

Implementation

CMS has finalized regulations regarding Stark Law self-referral exceptions and provider screening requirements^[26] and has released a proposed rule for returning Medicare overpayments.^[27] CMS has not yet released a proposed rule relating to mandatory compliance programs. However, compliance experts anticipate that those regulations will closely track the OIG program guidance documents.^[28]

Key Issues

• Federalism. New York enacted a mandatory compliance law in 2009 that places further requirements on entities operating within the State.^[29] Will other States follow the lead of New York? How will the federal and state compliance requirements interact? How will differing requirements affect healthcare entities operating in multiple states?
• Effective Compliance Programs. The ACA requires all Medicare, Medicaid, and CHIP providers to implement “effective” compliance programs. However, the ACA does not define “effective” and CMS has not yet released regulations defining the term or expectations for compliance programs. Although there is well-established guidance from OIG, the absence of a final rule fosters uncertainty as organizations are working to refine or develop compliance programs.
• Overpayment. The ACA does not define “identified” for the purposes of returning overpayments within 60 days, so it is unclear when the sixty day period to avoid violating the ACA begins. CMS has proposed to define “identified” as occurring when a “person has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the existence of the overpayment.”^[30] However, it is unclear whether this proposed definition actually clarifies the ambiguity.
• Reporting Requirements. The ACA includes a myriad of new reporting requirements ranging from physician disclosure of financial interests in imaging equipment to payments made to physicians and hospitals by pharmaceutical and device manufacturers. While these requirements are intended to ensure consumers are fully informed of any potential conflicts of interest a provider may have in making a referral or using a particular drug or device, it is unclear whether these requirements will truly deter fraudulent arrangements. Furthermore, the reporting requirements impose a significant burden on providers and manufacturers that may increase, rather than decrease, costs.
• Disclosure. The creation of the SRDP in the ACA means that entities must now make disclosures both to CMS and the OIG. CMS has made clear that the SRDP is only for actual or suspected violations of the Stark Law. If conduct may violate the Stark Law and give rise to Anti-Kickback liability, then the entity must disclose the conduct to the OIG rather than CMS.^[31] Given the commonalities of potential Stark and Anti-Kickback violations, the risk of significant penalties associated with self-reporting, and the related jurisdictional authorities of CMS and OIG, it is unclear how this separation of reporting systems will work in practice.
• Settlement. The ACA permits CMS to reduce penalties for Stark Law violations reported through the SRDP after consideration of factors such as the extent of harm and timeliness of reporting.^[32] Stakeholders will be closely watching whether CMS will be strict or lenient in applying these factors to future settlements. Either approach may under undermine the efficacy of the SRDP.

Authorized Funding Levels

The ACA allocated $100 million for health care fraud and abuse investigation efforts during the years 2011-2020 and the Reconciliation Act added another $250 million for such efforts during the years 2011-2016.^[33]