Recently, Professor Zack Buck’s Health Care Fraud and Abuse class was treated to a spirited panel on the current state of health care fraud, prosecution and defense. The panel, meeting again this year to allow students an opportunity to hear details about actual practice from both sides of the bar, was moderated by Chris Zalesky, the Vice President of Global Policy & Guidance for Johnson & Johnson in the Office of Health Care Compliance & Privacy. Zalesky has more than 20 years of experience in regulatory affairs, quality assurance and research and development functions within the medical device and pharmaceutical industries. He has also taught as an Adjunct here at Seton Hall Law.
The panel included Maureen Ruane, Assistant U.S. Attorney and Chief of the Health Care & Government Fraud Unit for the United States Attorney’s Office, District of New Jersey, and Bruce Levy, an attorney with the firm of Gibbons, P.C. Ruane served as Assistant United States Attorney from 1998 to 2004, and returned to the office in 2010 after working as a partner in the law firm of Lowenstein Sandler. Levy, also formerly an Assistant U.S. Attorney, currently focuses his practice at Gibbons on criminal, civil, and administrative cases arising from federal and state health care fraud investigations, health care compliance, The False Claims Act and qui tam cases, corporate investigations, and white collar criminal law.
Touching on a wide variety of topics, Ruane explained that the “sea of health care fraud is so deep” that it affects all aspects of the American health care system, from hospitals to physicians to pharmacies and all other health care providers. Many of the fraud prosecutions that flow through Ruane’s office come in the form of qui tam actions under the False Claims Act. Coming from a Latin phrase meaning “[he] who sues in this matter for the king as [well as] for himself,” a qui tam action is a unique fixture of the False Claims Act that allows private citizens to act as whistleblowers and sue health care corporations for perpetrating fraud on the government. The whistleblower, or “relator,” stands to gain a percentage of the civil damages awarded against the corporations.
Having seen countless relators over her time with the government, Ruane was in a rather unique position to speak about the underlying motivations behind the people who sue on behalf of “king and self.” Contrary to common thinking, Ruane explained that whistleblowers generally did not act out of greed or a desire to hurt the company. In fact, she felt the opposite: most relators were actually intensely loyal to their companies and had usually tried to voice their concerns multiple times in-house before bringing a complaint to the attention of government prosecutors.
Working as defense counsel, Levy voiced the concerns of private industry, in particular about the lack of guidance in the current law. He stressed that many pharmaceutical companies, hospitals, physicians and health care providers feel as if they are trying to act within the bounds of the law when in reality those boundaries are more blurry than clear. As an example, Levy talked about how he felt the need for clearer guidance on pharmaceutical marketing of “off-label” medications. When the Food and Drug Administration approves a medication for use in the U.S. health care market, the drug is approved for a specific use or indication. However, clinical studies often show beneficial uses for medications for additional aliments, and it is legal for physicians to prescribe the drugs for these other uses. In addition, Medicare and many private insurers will pay for use of a medication for different indications than what the FDA approved, in effect, subsidizing “off-label” use. There are thus competing federal agency views on medications, with the FDA only approving the drug for a particular use, but the Center for Medicare Services alternatively approving use of the drug for other, off-label uses. Problems arise because there are complex, and Levy felt unclear, regulations as to how pharmaceutical companies may represent or market the drug for off-label use. Levy explained that he felt new legislation was required to give clear guidance to the industry.
Both Ruane and Levy, approaching the bar from different perspectives, engaged in lively conversation and took questions from the audience, giving students numerous real-world examples of the theories and topics they learn about in class. As might be imagined, bringing with them contrasting prosecution and defense-side perspectives, the two often approached the same issues from opposing viewpoints, providing a unique experience for the class. However, the one thing they both agreed on was that with rising health care costs directly on the government’s radar, aggressive prosecution of health care fraud will not slow down any time in the future.
By Laura Sunyak
In February of 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA), and with it enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act contains regulations that significantly increase the penalty amounts the Secretary of the Department of Health and Human Services (HHS) may impose for violations of rules promulgated under the Health Information Portability and Accountability Act (HIPAA), and encourages corrective action. In order to incorporate the increased penalty structure into HIPAA, HHS has recently issued an interim final rule designed to strengthen its enforcement power and incorporate the new penalty structure of the HITECH Act into HIPAA.
Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation, or $25,000 for all identical violations of the same provision. A covered entity could also bar the imposition of a civil monetary penalty by simply showing that it did not know that it violated a HIPAA rule. As a result, enforcement of HIPAA rules has been weak, bordering on nonexistent. The number of covered entities that were in full compliance with the law was always very low, simply because HHS did not have a sufficient enforcement mechanism in place to deter violations. If covered entities did change their behavior to become compliant, it was out of a desire to follow the law, not due to fear of prosecution or administrative action.
Before ARRA was signed into law, although there were HIPAA audits that took place, they were few and far between. Covered entities complained that the requirements were not clear, and so hesitated to attempt to comply. With the enactment of ARRA and the HITECT Act, and the adoption of the interim rule, HIPAA covered entities will have no choice but to take notice and comply, or face much harsher penalties. The implementation of these acts also transfers authority for enforcement of HIPAA’s security rules from the Centers for Medicare and Medicaid to the Office of Civil Rights which, with 275 investigators and an annual budget of $40 million, is in a better position to bring enforcement actions and recover penalties. The penalties collected for violations will in turn be used to fund greater enforcement efforts. The interim rule amends 45 CFR part 160, subpart D, which establishes rules relating to the imposition of civil money penalties, to conform several provisions to section 13410(d) of the HITECH Act’s amendments to section 1176 of the Social Security Act, which became effective February 18, 2009. This interim final rule’s amendments distinguish between violations occurring before February 18, 2009, and violations occurring on or after that date, with respect to the potential amount of the civil money penalty and the affirmative defenses available to covered entities.
The interim final rule, effective as of November 30, 2009, modifies the penalties for HIPAA violations occurring after February 18, 2009. (For an explanation of the meaning of “interim final rule,” click here. According to this rule, the penalty for unknown violations, where the covered entity did not know of the violation, and would not have known by exercising reasonable diligence, is now between $100 and $50,000. For violations involving reasonable cause, such as circumstances that would make it unreasonable to comply with HIPAA despite extraordinary care, the penalty is now between $1,000 and $50,000. For violations involving willful neglect, or a conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA, the penalties are further broken down into whether or not the covered entity corrects the violation. If the violation is corrected within 30 days, the penalty is now between $10,000 and $50,000. If the penalty is not timely corrected, each violation will be fined $50,000. The rule also puts into place an annual cap of $1.5 million on all violations of an identical provision.
According to Georgina Verdugo, the director of OCR, the implementation of these tougher enforcement provisions strengthens HIPAA protections and rights related to protected health information, and should encourage covered entities, including health care providers and health plans, to “ensure that their compliance programs are designed to prevent, detect, and quickly correct violations of the HIPAA rules.… such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”
The enactment of these tougher enforcement penalties create additional incentives to make sure that covered entities have HIPAA compliance programs in place, which should include training employees to be compliant and ensuring that they are aware of how important it is to report potential violations so that they can be corrected in a timely manner.
When taking into account the lack of enforcement that had occurred prior to the recent HIPAA amendments, the new provisions seem to be a necessary step in enforcing the law and preventing the misuse of protected health information. With more resources available to track down HIPAA violations, and steeper penalties exacted against entities that violate HIPPA, the new rule is a step in the right direction toward greater protection of protected information. With the rampant rise of identity theft in this electronic age, consumers can never be too careful in ensuring that information stays in the right hands.
As HHS, acknowledges, this Interim Final Rule is only the first of several steps being taken to implement the HITECH Act’s tougher enforcement provisions. The remaining provisions, which are not yet effective, will be addressed in the near future.
By Christine Davis
For medically uninsurable people, or people with pre-existing conditions who cannot find coverage, coverage may soon materialize. Even before President Obama signed the PPACA, CMS had provided “Qualified High Risk Pool” grants to qualifying states, in order to cover these higher risk people since 2007. (45 CFR Part 148) Thirty-five states participated. Before health care reform passed in 2010, states could qualify for operational or seed grants, which they could use to cover eligible individuals. (Federal Register, v 73, no 81). PPACA authorizes the development of a temporary national high risk pool, which will operate similar to what is happening now with the state grants and will function as a temporary fix until the insurances exchanges kick in after 2014 and insurance companies are mandated to cover all individuals with pre-existing conditions. This is a unique part of the new bill because it seems to be something both Republicans and Democrats can agree on. Previously, the majority of these state high risk pools had lifetime maximum payouts, usually around $1 million, (three states had lifetime maximums of $500,000). Once these individuals reached that amount, they had no other way to be insured. (http://www.federalgrantswire.com/seed-grants-to-states-for-qualified-highrisk-pools.html).
The goal of the national risk pool is to transition the uninsurable until health care exchanges are established in 2014. Once that happens, there will no longer be lifetime or annual limitations on coverage. The idea here is that an individual will never reach a point where there is absolutely nowhere else to go for coverage.
By 2014, eligible individuals will be people “who have not had creditable coverage for the previous six months and now have a pre-existing condition.” As of now, most state pools require those seeking coverage to (a) submit proof that they have been denied coverage due to a pre-existing condition, or (b) show that they have applied recently for coverage and were a victim of “adverse underwriting actions,” such as limiting benefits or charging extraordinary premiums (for example, diabetics). (Coverage: Creating a Temporary National High Risk Pool: the New Health Dialogue Jan 12, 2010). One concern of these eligibility requirements is that they might discriminate against those who only recently lost coverage, because they are making every individual prove they have not had coverage in the past.
An advantage to a national high risk pool as opposed to a state high risk pool is that it will be more balanced and less costly, because the premiums charged won’t be as high. Although, if annual or lifetime limits aren’t capped once these exchanges kick in, these costs could skyrocket. However, a downside is that in some states, these high risk pools have limited eligibility and low enrollment, and for example, monthly premiums costing an individual well over $1,000/month. However, the news is not all bleak. States like Minnesota have been doing it right all along, even with broad eligibility, by finding additional streams of revenue, such as tobacco settlement funds, with which to support the pool. In order to be successful, the national pool, should model itself after successful states like Minnesota.
By: Constantina Koulosousas
The Patient Safety and Quality Improvement Rule was amended, effective November 23, 2009, by the Department of Health and Human Services to adjust the maximum civil money penalty amount for violations of the confidentiality provisions. The amount was adjusted for inflation to comply with the Federal Civil Penalties Inflation Adjustment Act of 1990. This amendment was carried out through direct final rule making, as HHS expected no significant adverse comments to the rule.
The Patient Safety and Quality Improvement Act of 2005 created a voluntary program for health care providers to share what is known as “patient safety work product” (PSWP), or any information relating to patient safety events and concerns with each other and Patient Safety Organizations (PSOs). The Department of Health and Human Services is required to maintain a listing of all PSOs.
The Act amended Title IX of the Public Health Service Act for the purpose of improving patient safety and quality of care. As with attorney work product, this information is privileged and confidential. While the program may be voluntary, a knowing or reckless violation of the confidentiality requirements of the Act can result in a civil money penalty of up to $10,000 for each violation, as assessed by the Office for Civil Rights.
The deterrence effect of the civil money penalties had been reduced by inflation. This caused Congress to enact the Inflation Adjustment Act. This Act requires Federal agencies to issue regulations adjusting each civil money penalty found within the Public Health Service Act within their jurisdiction, for inflation. The agencies are required to issue these regulations at least once every four years from July 29, 2005, the date of its enactment. The inflation amount is adjusted through a three-step process.
First, the agency must calculate an increase in the penalty amount by a “cost-of-living adjustment.” “Cost-of-living adjustment” is defined in the act as the percentage for each civil monetary penalty by which the Consumer Price Index for the month of June of the calendar year preceding the adjustment, exceeds the Consumer Price Index for the month of June of the calendar year in which the amount of such civil money penalty was last set or adjusted pursuant to law.
Second, the amount of increase must be rounded based on the size of the penalty as set forth in section 5(a) of the Act. Since the penalty in this case is $10,000, the increase is $1,000, making the final maximum penalty amount $11,000. Finally, the third step requires that a first adjustment be limited to 10 percent of the penalty amount. Accordingly, an $11,000 adjusted penalty is appropriate.
One great benefit of the Act is to make sure that the penalties assessed for such violations provide adequate deterrence to potential violators. This is done by periodically increasing the violation amount to account for inflation over time. Especially now in the wake of the massive health care reform and improvements in the use of Electronic Health Records, it is important to ensure patients that their personal health information remains confidential and that a breach of this confidentiality requirement will result in steep monetary penalties.
On the contrary, many may argue that the increase in the penalty amount is not adequate. Since the Act imposes a 10% cap in addition to a standard chart for calculating the inflation, it may not always be completely in sync with the current economic environment. Further, these penalty amounts are only updated every four years, which leaves a significant gap in time.
Additionally, the slight increase in money penalties assessed will not do much to comfort patients that their health information is protected and confidential. Once the information gets out, there is no amount of money assessed as a violation that can remedy the breach and the damage which may have already been done. Further, to many of the entities involved in such violations, a $10,000 penalty may seem like an insignificant slap on the wrist.
The Act only punishes a “knowing or reckless” violation of the confidentiality provisions, so breaches that occur unintentionally will not subject physicians or PSOs to liability. This mental state requirement is especially important as electronic health record software gets ironed-out, to get rid of any technical issues or glitches that may arise in the course of implementing such a national electronic system.
Conversely, the “knowing or reckless” standard may pose some difficulties enforcing liability under the Act, as it may not always be easy to prove that the confidentiality breach was done with such a state of mind, or even where the disclosure came from.
Surety Bond Requirements for Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS)
By Rachel Jones
The final rule implementing surety bond requirements for DMEPOS became effective March 3, 2009. The regulation implemented the surety bond requirements for DMEPOS set forth in section 4312(a) and (c) of the Balanced Budget Act of 1997 (BBA). The Centers for Medicare & Medicaid Services (CMS) proposed a rule on January 20, 1998 (63 FR 2926) reflecting the BBA’s surety bond requirements and solicited comments. Comments were solicited for advisability with respect to Section 4312(c) of the BBA, which further allowed CMS to require a surety bond from some or all providers or suppliers who furnish items or services under Medicare Part A or Part B and not solely Durable and Medical Equipment (DME) suppliers. A substantial amount of comments were received and in the final published rule on October 11, 2000 (65 FR 60366), CMS decided to delay the final rule with respect to surety bond requirements for suppliers of DMEPOS in order to further study the issue. However, in 2003 Congress enacted section 902 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L. 108-173) (MMA) which prohibits the Secretary of Department of Health and Human Services from finalizing a proposed rule related to Title 18 that was published more than 3 years earlier except under exceptional circumstances. In response to this CMS proposed a rule on August 1, 2007 (72 FR 42001) to implement the statutory surety bond requirements set forth in the BBA. CMS received approximately 200 comments that were considered before they published the final rule on January 2, 2009. (FR 30802)
Surety bonds are a financial guarantee whereby a first party (obligee) contracts with a second party (principal) to perform duties in a contract that will benefit a third party (surety). The first party guarantees that the second party will fulfill its obligation(s) under the contract and in the event that the obligations are not met, the first party will recover its losses via the bond. CMS has imposed the rule in order to deter fraud and abuse by Medicare suppliers of DMEPOS. CMS believes a surety bond requirement will (1) limit the Medicare program risk to fraudulent DMEPOS suppliers; (2) enhance the Medicare enrollment process to help ensure that only legitimate DMEPOS suppliers are enrolled or are allowed to remain enrolled in the Medicare program; (3) ensure that the Medicare program recoups erroneous payments that result from fraudulent or abusive billing practices by allowing CMS or its designated contractor to seek payments from a surety up to the penal sum; and (4) help ensure that Medicare beneficiaries receive products and services that are considered reasonable and necessary from legitimate DMEPOS suppliers. CMS has also instituted other measures– including requiring accreditation for DMEPOS suppliers to deter fraud.
Who is affected by the surety bond requirements?
The regulation affects many healthcare providers; generally any DMEPOS supplier that is registered with the National Supplier Clearinghouse (NSC) may be subjected to the surety bond requirement. Every DMEPOS supplier to Medicare patients must register with the NSC. There are several exempt DMEPOS suppliers under the regulation:
I. Government-owned suppliers,
II. State-licensed orthotic and prosthetic personnel in private practice making custom made orthotics and prosthetics if the business is solely-owned and operated by said personnel and is billing only for orthotic and prosthetics, and supplies,
III. Physicians and non-physician practitioners if the DMEPOS items are furnished only to his or her patients as part of his or her professional service, and
IV. Physical and occupational therapists if: (1) the business is solely-owned and operated by the therapist, and (2) if the DMEPOS items are furnished only to his or her patients as part of his or her professional service.
The economic impact on non-exempt healthcare providers is significant since the regulation requires a minimum of $50,000 surety bond. This bond amount is required for each National Provider Identifier (NPI). Since DMEPOS suppliers must obtain an NPI by practice location, this amount can become quite significant for a supplier with multiple locations. The estimated cost to DMEPOS suppliers is approximately $1200 per $50,000 surety bond, depending on the company’s financial stability. The regulation also permits an additional $50,000 surety bond for high risk DMEPOS. For example, if a DMEPOS supplier has an adverse legal action within the last ten years preceding enrollment, revalidation, or re-enrollment then an additional $50,000 surety bond is required per adverse legal action. An adverse legal action includes: Medicare imposed revocation of any Medicare billing number, suspension of a license to provide health care by any State licensing authority, revocation or suspension of accreditation, a conviction of a Federal or State felony offense or an exclusion or debarment from participation in a Federal or State health care program.
CMS believes that the surety bond will deter fraudulent activity because a fraudulent DMEPOS supplier will not likely post a surety bond. However, it is more likely the basis for this new requirement is to more easily allow CMS to recoup lost funds due to fraudulent activities. In addition, the bond requirement allows CMS to track and reprimand those DMEPOS suppliers that have continuously violated the law and stayed in the Medicare