What Compliance Officers Need to Know Going Into 2023
Health care compliance programs must be dynamic in order to enhance their effectiveness. This dynamic aspect requires that compliance professionals be on top of recent government pronouncements and enforcement trends so that they can adjust and fine-tune their programs to incorporate and address developments and trends that impact their organization. This Legal Update focuses on key 2022 pronouncements from the government, including recent guidance from the Department of Health and Human Services (“HHS”), HHS’s Office of the Inspector General (“OIG), as well as notable enforcement trends. All of these developments can be used to assess compliance programs and incorporate new elements into those programs’ risk assessment process and work plan, starting the new year strong. So, sit back, get a fresh cup of coffee, and dig in.
Please feel free to reach out to a member of the von Briesen Health Law Section for more information and analysis on the information included in this Update.
New OIG Guidance on Compliance Programs
The corporate integrity agreements (CIAs) used by the OIG to resolve cases involving false billings reflect the OIG’s thinking on best practices for compliance programs. Recent CIAs incorporate enhanced provisions related to the structure of compliance programs and should be considered by health care compliance programs, including:
- Narrowing the scope of non-compliance responsibilities that a Compliance Officer can hold by requiring that the Compliance Officer not have “any noncompliance job responsibilities that, in OIG’s discretion, may interfere or conflict with the Compliance Officer’s ability to perform” their duties.
- Specifying that the Compliance Committee’s duties shall include reviewing the compliance policies and procedures at least annually, reviewing compliance training at least annually, and implementing and overseeing the compliance risk assessment process.
- Requiring the board of directors to retain an individual or entity to review the effectiveness of the organization’s compliance program.
HIPAA and Reproductive Health Privacy
In the wake of the historic Supreme Court Decision over-turning Roe v. Wade,1 HHS issued guidance to protect patient privacy, specifically within the area of reproductive health care.2 HHS noted that the HIPAA Privacy Rule supports access to comprehensive reproductive health care services “by giving individuals confidence that their protected health information (PHI) will be kept private.” The guidance confirms that providers are not required to disclose private medical information to third parties. Further the guidance addresses the extent to which private medical information is protected on personal devices, providing pointers for protecting privacy when using various health information apps. Finally, HHS provides a reminder that individuals who believe that their health privacy rights have been violated may utilize the “OCR complaint portal” to file a complaint online, though it is not currently possible to report on a HIPAA violation anonymously via the online portal.
OIG Guidance on Telehealth Risk Factors
In a data brief released this year, the OIG identified seven data points that may point to fraud and abuse in the use of telehealth services.3 Those seven factors include the following billing patterns:
- Billing both a telehealth service and a facility fee for more than 75% of their telehealth visits;
- Billing telehealth services at the highest, most expensive code for every visit. The OIG further noted that many of the providers that billed exclusively at the highest code for each visit also billed for additional time spent during the visit;
- Billing telehealth services for more than 300 days a year, averaging to more than 25 days per month for each provider (the median for all providers who billed telehealth services was 26 days of the year);
- Billing both Medicare fee-for-service and a Medicare Advantage plan for the same service for more than 20% of telehealth services;
- Billing an average of more than 2 hours of telehealth services per visit (the median visit lasted 21 minutes);
- Billing telehealth services for more than 2000 beneficiaries in a year (the median was 21 beneficiaries for all providers who billed telehealth services); and
- Billing for a telehealth service and ordering medical equipment for at least 50% of their beneficiaries (the median was 3% of beneficiaries).
These measures can be incorporated into a provider’s yearly risk assessment and audit plan. It should be noted that, in conducting this study, the OIG used very high benchmarks to identify suspected fraud and abuse. Compliance programs may want to use lower thresholds when reviewing their own data for claims that warrant further review.
Significant Enforcement Trends
Announcements about enforcement matters from the Department of Justice also provide important insight into enforcement trends that should be evaluated for inclusion into a provider’s annual compliance work plan. Many of the trends noted in last year’s “Compliance Year in Review” continue to be hot – enforcement matters premised on the Anti-Kickback Statute and alleging that services billed to federal health care programs were not medically necessary – but this year also reflected some new enforcement trends.
- An electronic health record (EHR) technology vendor, ModMed,4 settled False Claims Act allegations for $45 million that it accepted and provided kickbacks and by causing its users to report inaccurate information in connection with federal EHR incentive payments. Notably, it was alleged that ModMed was paid a kickback by a pathology laboratory in exchange for an exclusive agreement to develop “enhanced features” into its EHR platform that would drive physician pathology orders to the pathology lab.
- Management services organizations (MSOs) have been targeted in three DOJ enforcement actions. MSOs are now common tools to permit individuals or entities, including investment organizations that are not licensed health care providers, to manage clinical operations of licensed health care providers. These enforcement actions involving MSOs reflect the DOJ’s increasing sophistication in pursuing investment interests that it perceives to be improperly impacting the submission of claims to federal health care programs. For example:
- The DOJ sued a number of health organizations and physicians related to an alleged scheme to pay physicians to induce referrals to critical access hospitals for laboratory testing. The hospitals paid recruiters to identify physicians who would refer laboratory testing back to the hospitals. The recruiters allegedly formed MSO’s to make payments to referring physicians that were disguised as investment returns. One physician recently settled allegations that he had received thousands of dollars in kickbacks and is now cooperating against other defendants in the matter.5
- An MSO organization and two of its officers agreed to resolved False Claims Act allegations for $24.5 million. The DOJ alleged that the MSO violated the Stark law and caused the submission of claims for medically unnecessary urine drug testing by, among other things, paying physicians affiliated with the MSO 40% of the profits from UDS tests referred to the laboratory owned by the MSO.6
- The DOJ sued a nursing home management company and three affiliated nursing homes providing services to nursing home residents that were grossly substandard or non-existent, pressing the nursing homes to cut their budgets and services, while the management company was paid multi-million-dollar management fees.7
- The DOJ’s use of the Anti-Kickback Statute continues to be a key enforcement tool in an increasingly broad array of contexts. For example, in September, a manufacturer of durable medical equipment resolved allegations that it violated the AKS by giving physician prescribing data to DME suppliers free of charge to assist their marketing efforts to physicians.8
- Focusing on services rendered by offshore personnel, a cardiac monitoring company paid $44.8 million to resolve False Claims Act allegations.9 The government alleged CardioNet entered into an agreement with a company located in India pursuant to which the offshore company provided diagnostic and analytic services of heart monitoring data. While a workflow was designed to route the tests of Medicare patients to technicians associated with a domestic entity for review, many tests were diverted to the Indian company when domestic workflows became backlogged. Moreover, the government alleged that many of the technicians were not licensed or certified to perform the subject monitoring.
- Genetic testing remains a hot target. At least two multi-million-dollar settlements were announced by DOJ related to medically unnecessary genetic testing. The University of California paid $2.98 million to resolve allegations that it ordered medically unnecessary genetic testing performed by a third-party laboratory.10 In addition, Metric Lab Services and two of its owners paid $5.7 million to resolve allegations that they paid kickbacks in return for genetic testing samples. In order to conceal the nature of the kickback arrangement, the companies entered into sham agreements with marketers to provide various consulting and marketing services.11
- The DOJ continues its focus on the war against opioid addiction by increasingly aggressive targeting of physicians who prescribe opioids in violation of the Controlled Substances Act. In some cases, the DOJ has sought temporary restraining orders against physicians pursuant to the Controlled Substances Act to stop them from prescribing opioids and other controlled substances.12
Significant OIG Advisory Opinion Summaries
Digital Substance Abuse Programs – Advisory Opinion 22-04 involved a technology application to provide a comprehensive personal support program to individuals with substance misuse disorders. The program provides certain incentives to the patients for achieving defined goals. The application is made available to patients primarily through health plans and addiction treatment providers, who pay for the program. While neither the payments from the customers to the platform nor the patient incentives were protected by a safe harbor, the OIG determined that the program presented minimal risk of fraud and abuse under AKS, citing four reasons that mitigated the risk of fraud and abuse: 1) the program being “protocol driven” and “consistent with nationally recognized research and treatment recommendations; 2) the “relatively low value” of the individual incentives given to patients ($599.00 per year cap); 3) the number of program participants that do not have an “incentive to induce a Member to receive federally reimbursable services;” and 4) the safeguards for the patient rewards program, such as the anti-relapse protections.13
Genetic Testing and Counseling Data – Advisory Opinion 22-06 involved the provision of free genetic testing and genetic counseling services by a biopharmaceutical company that manufactures a drug to treat a disease that can be inherited. The free genetic testing is offered to individuals who meet specified clinical criteria. The third-party laboratory contracted to develop and conduct the testing provides monthly reports to a pharmaceutical company but the data does not include individually identifiable health information. The OIG found the Arrangement posed sufficiently low risk of fraud and abuse under AKS, citing three reasons: 1) several components of the program make it unlikely to lead to overutilization or inappropriate utilization; 2) The arrangement has a low likelihood of impacting clinical decision making or patient safety and quality of care; and 3) there are safeguards in place to prevent use of the arrangement as a marketing or sales tool to induce physicians to order additional items and services.14
Physician Ownership Interest in Medical Device Company – Advisory Opinion 22-07 involved an arrangement where physicians have ownership interest in a medical device company that manufactures products that may be ordered by the physician owners and a physician spouse of one of the physician owners. The OIG found that the arrangement did not have any safe harbor, leading the OIG to evaluate it based on the totality of the facts and circumstances. Ultimately, the OIG concluded that the Arrangement poses a sufficiently low risk of fraud and abuse under AKS. Their reasoning included, among other things: 1) the limited amount of business for the Company generated by the Physicians and other Medical Group members in the arrangement; and 2) the Physicians' decision not to attempt to influence hospitals or ASCs to purchase the Company’s products (excluding the ability to recommend Company products for surgeries they personally perform); and 3) the transparency regarding ownership interest in the Company (though the OIG notes that this factor is not sufficient on its own).15
Smart Phone Loans for Telehealth – Advisory Opinion 22-08 involved the use of approximately 3000 smartphones loaned by a federally qualified health center to its patients to facilitate access to telehealth services. The health center certified that the telehealth services it offers to patients via the limited-use smartphones are medically necessary services that are currently covered by Medicare and the State Medicaid Program. The OIG found that the arrangement implicates the Beneficiary Inducements CMP and AKS. However, the provision of limited-use smartphones and chargers to patients satisfied the Promotes Access to Care Exception during the PHE and the OIG concluded that arrangement presents no more than a minimal risk of fraud and abuse under AKS. The OIG cited multiple factors, such as the source of funding for the phones coming from entities with “no financial interest in patients receiving services from the [health center],” and the low likelihood of interference with clinical decision-making.16
“Per-Click” Structure in Clinical Testing – Advisory Opinion 22-09 involved a proposed arrangement pursuant to which an operator of clinical laboratories (“Requestor”) would compensate hospitals on a per-patient-encounter basis for certain specimen collection services for laboratory tests that Requestor has furnished. The OIG found that the Proposed Arrangement would implicate AKS. Further, the proposed arrangement does not fit in a safe harbor, requiring it to be analyzed based on the totality of the facts and circumstances. This particular scenario warranted “careful scrutiny,” according to the OIG, as “laboratory services may be particularly susceptible to the risk of steering,” and “the Proposed Arrangement would involve a “per-click” fee structure...” Ultimately, the OIG concluded that “because of the possibility that the per-patient-encounter fee would be used to induce or reward referrals to Requestor and the corresponding risk of inappropriate steering to Requestor... the arrangement would pose more than a minimal risk of fraud and abuse under [AKS].”17
NPs Covering Physician Duties – Advisory Opinion 22-20 addressed whether a hospital providing employed nurse practitioners (“NPs”) to perform services that are traditionally performed by the attending physicians implicated the AKS. The participating physicians are predominately primary care physicians and services provided by the NPs are done in collaboration with the treating physician. The OIG found that the Arrangement presented minimal risk of fraud and abuse under AKS, its decision centered on three factors: 1) the limited scope of the arrangement, applying on two non-surgical, non-specialty units at the requestor’s hospital campus (and not high referring specialty units); 2) the safeguards in place, including required communication and collaboration between NPs and Physicians; and 3) the low likelihood of the arrangement increasing costs to Federal health care programs.18
Having a compliance plan alone is insufficient to protect an organization. The DOJ and the OIG have made clear that the government does not consider a compliance program to be truly effective unless that compliance program evolves in response to the current enforcement climate and known risks. If you have any questions regarding these trends or the structure of your compliance program, please contact a member of the von Briesen Health Law Section.
1 See Dobbs v. Jackson Women's Health Org., 142 S. Ct. 2228 (2022)
2 HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care, HHS (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html
3 OIE-02-20-00720; https://oig.hhs.gov/oei/reports/OEI-02-20-00720.asp
4 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims, No. 22-1181, U.S. DEP’T OF JUST. (Nov. 1, 2022), https://www.justice.gov/opa/pr/modernizing-medicine-agrees-pay-45-million-resolve-allegations-accepting-and-paying-illegal#
5 United States, ex rel. STF, LLC v. Christopher Grottenhaler, et al., Case No. 4:16-CV-547 (E.D. Tex). Related Press Releases: https://www.justice.gov/opa/pr/justice-department-files-false-claims-act-complaint-against-two-laboratory-ceos-one-hospital
6 April 12, 2022 Press Release: https://www.justice.gov/opa/pr/physician-partners-america-pay-245-million-settle-allegations-unnecessary-testing-improper
7 United States v. American Health Foundation, Inc., Case No 2:22-CV-02344, E.D. Penn. June 15, 2022 Press Release: https://www.justice.gov/opa/pr/justice-department-sues-american-health-foundation-and-its-affiliates-providing-grossly
8 September 1, 2022 Press Release: https://www.justice.gov/opa/pr/philips-subsidiary-pay-over-24-million-alleged-false-claims-caused-respironics-respiratory
9 Cardiac Monitoring Companies to Pay More than $44.8 Million to Resolve False Claims Act Liability Relating to Services Performed by Offshore Technicians, No. 22-1395, U.S. DEP’T OF JUST. (Dec. 20, 2022), https://www.justice.gov/opa/pr/cardiac-monitoring-companies-pay-more-448-million-resolve-false-claims-act-liability-relating
10 January 11, 2022 Press Release: https://www.justice.gov/usao-sdca/pr/uc-san-diego-health-pays-298-million-resolve-allegations-ordering-unnecessary-genetic
11 July 22, 2022 Press Release: https://www.justice.gov/opa/pr/metric-lab-services-metric-management-services-llc-spectrum-diagnostic-labs-llc-and-owners
12 July 28, 2022 Press Release: https://www.justice.gov/opa/pr/justice-department-obtains-temporary-restraining-order-prevent-tampa-area-physician-writing
13 OIG Advisory Opinion No. 22-04 (March 2, 2022), https://oig.hhs.gov/documents/advisory-opinions/1024/AO-22-04.pdf
14 OIG Advisory Opinion No. 22-05 (March 16, 2022), https://oig.hhs.gov/documents/advisory-opinions/1025/AO-22-05.pdf
15 OIG Advisory Opinion No. 22-07 (April 25, 2022), https://oig.hhs.gov/documents/advisory-opinions/1029/AO-22-07.pdf
16 OIG Advisory Opinion No. 22-08 (April 27, 2022), https://oig.hhs.gov/documents/advisory-opinions/1030/AO-22-08.pdf
17 OIG Advisory Opinion No. 22-09 (April 28, 2022), https://oig.hhs.gov/documents/advisory-opinions/1031/AO-22-09.pdf
18 OIG Advisory Opinion No. 22-20 (Dec. 29, 2022), https://oig.hhs.gov/documents/advisory-opinions/1062/AO-22-20_Ot53Mmd.pdf
von Briesen & Roper Legal Update is a periodic publication of von Briesen & Roper, s.c. It is intended for general information purposes for the community and highlights recent changes and developments in the legal area. This publication does not constitute legal advice, and the reader should consult legal counsel to determine how this information applies to any specific situation.