Weekly Health Care Criminal and Civil Fraud Enforcement Round-Up
The following highlights notable health care fraud and abuse news, settlements and enforcement actions from the previous week.
- Congressional Hearing Testimony Highlights $2.4 Billion in Health Care Fraud Recoveries for FY 2015 and Names Medical Device, Pharmaceutical and Home-Based Services Areas as Concerning Areas. On September 28, 2016, the House Ways and Means Oversight Subcommittee, chaired by Rep. Peter Roskam (R-IL), held a hearing focusing on fraud in the Medicare program. According to Roskam, up to 10% of health care spending (about $60 billion a year) can be attributed to fraudulent charges. Testifying witnesses, including a United States Attorney and an Office of Inspector General special agent, highlighted the government’s continued dedication to health care fraud and prevention efforts, stating that those efforts recovered approximately $2.4 billion related fraudulent or false health care reimbursement claims in Fiscal Year 2015. Witnesses also testified that incidents of medical device, prescription drug and home-based services are growing and of particular concern for federal agencies.
- Toumey CEO to Personally Pay $1M to Settle False Claims Act Case. On September 27, the Department of Justice (“DOJ”) announced a $1 million settlement agreement with Ralph J. Cox III, the former CEO of Toumey Healthcare System (“Toumey”), to resolve claims that Cox caused the hospital to enter into agreements that financially rewarded physicians for patient referrals in violation of the Stark Law. In addition to the $1 million settlement, the agreement also excludes Cox from participating in any federal health care reimbursement programs for four years. The government specifically alleged that Cox, fearing that Toumey would lose lucrative outpatient procedure referrals to a new free-standing surgery center, caused Toumey to enter into contracts with 19 specialist physicians that required the physicians to refer their outpatient procedures to Toumey and, in exchange, paid them compensation far exceeding fair market value, including a portion of the hospital’s Medicare receivables for the referred procedures. During the trial against Toumey, which resulted in a $72.4 million settlement, the government alleged that Cox ignored and suppressed warnings from one of Toumey’s attorneys that the physician contracts were risky and raised red flags. This settlement continues to demonstrate the government’s intent to hold individual decision-makers accountable for schemes to defraud the federal health care programs.
- Vibra Healthcare to Pay $32.7M to Resolve Claims for Medically Unnecessary Services; Whistleblower to Receive at least $4M. On September 28, 2016, the DOJ announced that Vibra Healthcare LLC (“Vibra”), a national long-term care hospital (“LTCH”) and inpatient rehabilitation facility (“IRF”) chain, agreed to a $32.7 million settlement to resolve claims that Vibra had violated the False Claims Act by billing Medicare for medically unnecessary patients stays at five of its LTCHs and one of its IRFs. As part of the settlement agreement, Vibra has agreed to enter into a chain-wide Corporate Integrity Agreement with the Inspector General of the Department of Health and Human Services. A portion of allegations resolved by the settlement were originally filed under the whistleblower provisions of the False Claims Act by a former health information coder at Vibra Hospital of Southeastern Michigan. The whistleblower will receive at least $4M.
GAO Report Highlights Electronic Health Record Vulnerability to Cyber Threats and Recommends HHS Update and Strengthen Its HIPAA Security and Privacy Guidance and Oversight
On September 26, 2016, the Government Accountability Office (“GAO”) publicly released its report, Electronic Health Information: HHS Needs to Strengthen Security and Privacy Guidance and Oversight, which highlighted electronic health record (“HER”) vulnerability to cyber threats and the insufficiency of health information cybersecurity infrastructure. The report found that over 113 million individual health care records were compromised in 2015 due to hacking incidents. The GAO Report recommends that the Department of Health and Human Services (“HHS”), which has primary responsibility for setting standards for protecting electronic health information: (1) update its guidance for protecting electronic health information to address key security elements, (2) improve technical assistance it provides to covered entities, (3) follow-up on its corrective actions, (4) establish metrics for gauging the effectiveness of its audit program and (5) establish and implement policies and procedures for sharing the results of investigations between federal agencies. The Report notes that HHS generally concurred with the recommendation and stated it would take actions to implement them. Accordingly, the industry can expect updates to the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security rules and increased enforcement of current requirements.
CMS Seeking Comments by October 11, 2016 Regarding Updates to the Voluntary Self-Referral Disclosure Protocol
The Centers for Medicare & Medicaid Services (“CMS”) is accepting comments through October 11, 2016 relating to proposed changes to its voluntary Stark Self-Referral Disclosure Protocol (“SRDP”). The SRDP program allows health care providers and suppliers to self-disclose actual or potential violations of the physician self-referral statute (otherwise known as the Stark Law) which resulted (or may have resulted) in the receipt of overpayments by the Medicare program. After reviewing an SRDP submission, HHS has the authority to reduce any amounts due and owing the government as a result of the disclosed physician relationships. After CMS established the SRDP on September 23, 2010, it was quickly overwhelmed by the large number of SRDP submissions, hindering its ability to timely settle with providers. Through 2015, the SRDP program resulted in 113 settlements totaling $16 million. No settlements have been announced in 2016.
The current SRDP submission guidelines can be found on the CMS website. CMS proposes to (1) streamline and simplify the current SRDP procedures by creating a submission form and overpayment worksheet and (2) extend the “lookback period” for reporting and returning overpayments from 4-year to 6-years for any SRDP submission received on or after March 14, 2016. While most of the required information remains unchanged, the proposed form notably includes a section on "Pervasiveness of Noncompliance," in which disclosing parties are required to speak to the frequent the type of noncompliance disclosure as compared to the universe of their physician financial relationships.
In our experience, some SRDP settlements have taken years. The new standardized process may lead to a quicker resolution of disclosures, which would be welcome by providers in the self-disclosure process. Interested parties should review the proposed SRDP revisions carefully and submit comments by October 11, 2016.