Copyright © 2011. Balch & Bingham LLP. All rights reserved Compliance, Disclosures and Enforcement: déjà vu All over Again 3 rd Annual Mississippi Hospital

Copyright © 2011. Balch & Bingham LLP.

All rights reserved

Compliance, Disclosures and Enforcement: déjà vu All over

Again

3rd Annual Mississippi Hospital Association Health Law Conference

Madison, MississippiApril 6, 2011

Dinetia M. [email protected]

Copyright © 2010. Balch & Bingham LLP. All rights reserved2

Topics Covered

Voluntary v. Mandatory Compliance Programs What to Do? Where to Start? Compliance – The Four-legged Stool Regulatory Agencies Focus on Four Risk Areas Recipe for Compliance Program Effectiveness Self-Assessment – Strategies Organizational and Operational Best Practices


Voluntary v. Mandatory Compliance Programs


Voluntary Compliance Program

“The OIG believes that a basic framework for any voluntary compliance program begins with a review of the seven basic components of an effective compliance program. A review of these components provides [providers and suppliers] with an overview of the scope of a fully developed and implemented compliance program. The following list of components, as set forth in previous OIG compliance program guidances, can form the basis of a voluntary compliance program for a [provider or supplier]…”

» 65 Fed. Reg. 59,436 (October 5, 2000)



OIG Compliance Program Guidance for Hospitals (2/23/1998)

Conducting internal monitoring and auditing Implementing compliance and practice standards Designating a compliance officer or contact Conducting appropriate training and education Responding appropriately to detected offenses

and developing corrective action Developing open lines of communication; and Enforcing disciplinary standards through well-

publicized guidelines



OIG Supplemental Compliance Program Guidance for Hospitals (1/31/05) Focuses on application of compliance program guidance in connection with OIG-perceived

risk areas Fraud and abuse risk areas

Submission of accurate claims and information Self-referral issues (Stark law and Federal Anti-Kickback statute issues) Emergency Medical Treatment and Labor Act Payments to reduce or limit services: gainsharing arrangements Substandard care Relationships with Federal health care beneficiaries Discounts to uninsured patients Preventive Care Services Profession Courtesy

OIG focus directed to effective hospital compliance programs involving hospital’s governing body and management’s commitment, structures and process to create effective internal controls and regular self-assessment and enhancement of the existing compliance program

Evidence of and effective compliance program includes self-reporting of misconduct following discovery of credible evidence from any source and following a reasonable enquiry

Note:OIG mentioned as early as 2005 60 days as being reasonable to report misconduct.


OIG’s PPACA Mandate

Keynote Address Delivered by Daniel R. Levinson, Inspector General of DHHS, at the HCCA Annual Compliance Institute (April 19, 2010):

PPACA program integrity provisions include authorities and requirements to:

strengthen provider and supplier enrollment standards and enhance screening;

address certain misalignments between Medicare and Medicaid reimbursements and market prices and create new links between payment and quality;

promote compliance with program requirements, including by requiring providers to implement compliance programs;

enhance program oversight, including by requiring greater reporting and transparency and by improving data access and coordination among government agencies; and strengthen the Government’s response to health care fraud and abuse through new enforcement authorities and tools.


PPACA Includes Mandatory Compliance Requirements

Mandatory Compliance Program for All Providers Condition of enrollment in the Medicare program that classes of

providers and suppliers implement compliance programs Secretary discretion to dictate timelines for implementation, types of

providers and suppliers required to adopt compliance programs Secretary to develop core elements for each class of provider or

supplier required to adopt programs September 23, 2010 – CMS requested comments from providers and

suppliers on using as core measures the seven elements from Chap. 8 – Federal Sentencing Guidelines Manual

Note: Medicare Advantage plans were required to have an “effective” compliance “program” as of January 1, 2011. PPACA sets March 23, 2012 as date for HHS’s issuance of compliance program requirements for nursing homes.


What to Do? Where to Start?


Start where you are with what you have!


Compliance as a Four-Legged Stool

4 Major Risk Areas for Hospitals Referral relationships

Billing and coding governmental and commercial payors

Privacy and security of patient information

Quality Issues


Government Advice and Enforcementin Risk Areas


Government Advice and Enforcement – Referral Relationships

OIG Training & Publications OIG Health Care Fraud Prevention and

Enforcement Action Team: Provider Compliance Training – http://compliance.oig.hhs.gov/

Physician Education Training Manuals – www.oig.hhs.gov/fraud/PhysicianEducation/

OIG Compliance Resource Material – http:www.oig.hhs.gov/fraud/complianceresources.asp









Enforcement United States ex rel. Drakeford v. Tuomey Healthcare System, Inc. – Allegations

of Anti-kickback/Stark/False Claims Act Violations Tuomey Hospital, Sumter, S.C. Surgeons employed part-time for Outpatient Surgery Center Justice Department alleged compensation exceeded fair market value Hospitals obtained 2 valuation analyses and relied on opinions During trial, hospital placed attorney/client privileged communications in

record (reliance on advice of counsel) Jury awarded $49.4 Million for Stark violations, dismissed FCA claim June 3, 2010 – District Court granted motion for new trial on FCA claims

Based on ruling that certain government evidence was earlier excluded According to government statements, FCA trial’s focus will be on hospital’s

knowledge of whether employment agreements violated Stark law



Enforcement United States ex rel. Singh v. Bradford Regional Medical Center,

et al Bradford Regional Medical Center, Bradford, PA Lease of nuclear camera by hospital from physician group –

competitor physician group filed qui tam lawsuit alleging Stark law violation (did not meet exception), Anti-kickback violation (false certification) and False Claims violations

Government did not intervene Court could not determine intent for FCA and A/K purposes;

but, lease did not satisfy any Stark exception Issues: whether compensation meets fmv definition even if

written valuation report is obtained (lease plus covenant not to compete compensation); whether fixed compensation can “take into account” volume/value of physician referrals; when is there a failure to be “set out in writing”



OIG Provider Self-Disclosure Protocol (Anti-kickback) October 30, 1998 Allows provider community to voluntarily disclose self-discovered evidence of

potential fraud with purpose of avoiding cost and/or length and disruption of government investigation

Opportunities for reduced penalties

CMS Voluntary Self-Referral Disclosure Protocol (Stark) September 23, 2010 – mandated by Section 6409 of PPACA Allows suspension of 60 day repayment timeframe for overpayments Does not provide bifurcated disclosure process - traditional route for complex

disclosures and a fast track with set dollar repayment obligations for certain more procedural violations

Not widely embraced – but 55 disclosures in pipeline (Troy Barsky, CMS)


Billing and Coding - Governmental and Commercial Payers

CMS Audits:

RACs - errors CERT – Comprehensive Error Rate Testing - errors PSCs – Program Safeguard Contractors - fraud ZPICs – Zone Program Integrity Contractors – fraud

Enrollment

Medicaid Audit MICs – Medicaid Integrity Contractors - fraud Medicaid Fraud Control Unit - fraud PERM - errors






Privacy and Security of Patient Information

HHS/OCR Rulemaking

HIPAA—August 1996

Privacy Rule—April 2003

Security Rule—April 2005

Enforcement Rule—March 2006

American Reinvestment and Recovery Act (“ARRA”)—February 17, 2009

Health Information Technology for Economic and Clinical Health Act (“HITECH”)—ARRA Division A, Title XIII – Health Information Technology, § 13001 et seq



HHS/OCR Enforcement – Cignet Health of Prince George’s County, Maryland

Family physician practice group with four locations and health insurance plan

Nature of breach

Failure to provide 41 individuals timely access to medical record copies

Failure to cooperate with HHS in OCR’s investigation of patient complaints

Failure to correct violations within 30 days of when Cignet knew or with exercise of reasonable diligence would have know of violations

Penalties Imposed

$100 per day (13,516 days) for failure to provide medical records to patients (total $1.3 million)

$50,000 per day (7,478 days) for failure to cooperate with HHS/OCR (total $3 million)



General Hospital Corporation & Massachusetts General Physicians Organization, Inc. (Mass General) Nature of Breach

Patients’ charts removed from Mass General’s Infectious Disease Associates outpatient practice and inadvertently left on subway train

Documents included billing and encounter forms with name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider

Also included daily office schedules with names and medical record numbers of 192 patients (including patients with HIV/Aids)

Settlement Terms Immediate payment of $1 million dollars 3 year Corrective Action Plan requiring policy and procedure

development regarding physical removal and transportation of documents containing PHI, encryption of laptops and USB drives, processes to distribute and update policies and procedures, workforce training, designation of monitor for assembling annual report to HHS


Quality Issues – Reports - Roundtables


QUALITY ISSUES – GOVERNING BODY


Quality Issues – CMS Enforcement

Hospital Inpatient Quality Reporting Program (IQR) (formerly Reporting Hospital Quality Data for Annual Payment Update – RHQDAPU) Reporting of annual quality measures or 20% reduction in annual market

basket update

FY 2017 – Dollars Potentially at Risk - Base DRG payments – 6% Hospital-acquired conditions – 1% starting FY 2015

Readmission – 1% - 3% - phased in over three years starting in FY 2013

Value-Based Purchasing – 1% - 2% reduction starting in FY 2013 (phased in over four years with the opportunity to recoup full amount plus)


Recipe for Compliance Program Effectiveness: Governmental Requirements, Audits, Expectations

and Enforcement


Recent Governmental Compliance Program

Requirements/Enforcement

Medicare Advantage and Part D Plans Effective 1/1/2011, MA and Part D plans must adopt

and implement an effective compliance program

Program must Prevent, detect, and correct noncompliance with CMS

program requirements

Contain measures that prevent, detect, and correct fraud, waste, and abuse

Contain the 7 core elements of a compliance program

Compliance Officer and Compliance Committee must Report to CEO or other senior management

Report periodically to governing body


Recent Governmental Compliance Program

Requirements/Enforcement

Nursing Facilities PPACA requires HHS Secretary to adopt regulations

requiring nursing facilities to implement compliance programs

By March 23, 2012, HHS must promulgate regulations requiring nursing facilities to implement effective compliance programs

The regulations

May include a model compliance program

Must allow for compliance program variations based on organization size (higher standards for organizations with 5 or more facilities)


Compliance Program Effectiveness


Compliance Program Effectiveness:Where to Start?

Focus on key regulatory obligations Identify specific hospital risk area by looking at hospital

deficiencies; regulators’ lists of key deficiencies; PEPPER reports; OIG Work Plan; OIG list of enforcements

Look at control structure, process, outcomes Consider involvement of governing body and “C” level

executives Identify way to measure performance: metrics, system to

add/deduct points for meeting 7 required elements or lack of structure, processes, regulatory notices, fines, sanctions


Compliance Program Effectiveness: Self-Assessment Tool - CMS

Centers for Medicare & Medicaid Services Self-Assessment Tool - modeled after tools developed by New

York State Office of Medicaid Inspector General (OMIG) and HCCA

CMS considering using tool prior to audit to gather information and to aid audit efforts

What is it? Checklist to evaluate program design, to identify

strengths/weaknesses

Tool to identify key components

Not regulatory guidance or list of compliance program requirements


Compliance Program Effectiveness: Self-Assessment Tool – New York – OIG

Medicaid


Compliance Program Effectiveness: Self-Assessment Tool – CMS


Compliance Program Effectiveness: Self-Assessment Tool – CMS


Compliance Program Effectiveness: Self-Assessment Tool

Example from Balch & Bingham Compliance Assessment Tool

Source1Policies (Including date last

reviewed) Processes/ Controls Performance Measurement

A. Written Policies and Procedures

1. Formal commitment by governing body to adopt all applicable elements of the OIG Compliance guidelines

63-42412; 64-54033

2. Standards of Conduct address the organization's commitment to compliance and expectations for employees and others covered by the Code. Code is comprehensible and distributed to all employees. Code is regularly updated.

63-42412; 64-54034

3 Special Risk Areas -- Home Healtha. Documentation of patient medical condition, need for home health services and supplies, and the actual provision of such services and supplies in the patient's medical record

63-42415

b. Patient eligibility for home health services(1) Patients meet the definition of "homebound" and homebound status is certified by the patient's physician

GAO 2/ 09 at 14; OIG FA 8/ 95; 63-41415; OIG 6/ 04 at 4

(2) Patients have a need for intermittent skilled nursing services or physical or speech therapy service (not available from a family member of other source)

OIG FA 8/ 95; 63-41415; OIG 6/ 04 at 4

(3) Services are received pursuant to a physician-approved plan of care

63-41416; OIG 6/ 04 at 5


Compliance Program Effectiveness: CMS’s Tips for Gauging Non-Effective

Compliance Program According to CMS*, indicators that a compliance program may NOT be

effective include: The compliance officer does not report directly to the board or the chief

executive officer of the provider or supplier. The provider or supplier has no compliance committee. The compliance program does not include confidential or anonymous reporting

of compliance issues. Employees are afraid to communicate any compliance issues “up the chain” of

command. Audits are infrequent and management disregards data obtained through

monitoring efforts. While the provider or supplier responds to incidents, it does not put in place

systemic corrections. Employees who report complaints or other compliance issues receive no or

negative recognition. Discipline is inadequate and inconsistent. Allegations are not affectively investigated.

In summary, the provider or supplier cannot evidence any systemic efforts to build a strong ethical culture.

*American Health Lawyers Association Practice Group Brown Bag Luncheon- February 11, 2011


QUESTIONS?


Thank YouBalch & Bingham LLP

401 East Capitol Street, Suite 200

Jackson, MS 39201www.balch.com

Dinetia M. Newman

[email protected]

601-956-8169