Nationwide Medicare Fraud Busts

Posted on February 18, 2011 by Lisa Rothrock

As we have noted over and over again in previous posts, the federal government has significantly ramped up its Medicare fraud and abuse enforcement.  This time the crackdown on false billing schemes was staggering.  Yesterday, in the largest single-day health care fraud bust in U.S. history, the Medicare Fraud Task Force charged and arrested 111 people--including physicians, nurses, and health care company executives-who allegedly swindled the federal government out of more than $225 million.  These arrests took place in 9 major cities across the country.  More specifically, the claims against these health care professionals were for fraudulent claims for services that were never provided, kickback arrangements, money laundering, and identity theft.  More details available in the HHS/DOJ press release.

For most providers, these types of crackdowns are of little concern because they are targeting the most egregious and blatant fraud and abuse, and the overwhelming majority of providers are not involved in such schemes.  Events like this, however, should serve as a reminder to even the most cautious and upstanding providers that the federal government has become increasingly serious about health care fraud and abuse enforcement.  Between these enforcement efforts and increased auditing of providers through RAC audits, providers that remain vigilant will have a certain advantage over those that are not.

Tags: , , , , ,

Government Intensifies Health Care Fraud Enforcement Efforts

Posted on January 25, 2011 by Lisa Rothrock

Health care fraud and abuse enforcement is always on our minds and our clients' minds, but yesterday HHS and DOJ gave health care providers even more to consider when evaluating their own fraud and abuse compliance efforts.

HHS and DOJ announced the highest annual recovery amount ever from health care providers as a result of the federal government's fraud and abuse enforcement efforts.  According to the annual Health Care Fraud and Abuse Control Program ("HCFAC") report released yesterday, the government’s health care fraud prevention and enforcement efforts recovered a staggering $4 billion from health care providers in fiscal year 2010.

This year's $4 billion recovery amount is up 50% from 2009.  To further put this $4 billion into context,  the HCFAC has returned $18 billion total to the Medicare Trust Fund since its inception in 1997.  This increased recovery is due, at least in part, to the recently employed enforcement teams such as the Health Care Fraud Prevention & Enforcement Action Team ("HEAT") and the Medicare Fraud Strike Force.  In addition to these criminal enforcement recoveries, the government also obtained more than $2.5 billion in civil health care matters brought under the False Claims Act, which is the largest in the history of the DOJ. 

HHS also announced yesterday new rules authorized by PPACA (or the Affordable Care Act) that will further intensify the government's efforts to fight fraud, waste and abuse in Medicare and Medicaid.  Not only does PPACA provide an additional $350 million for HCFAC activities, but the rules include new provider screening and enfocement measures and gives the government the authority to suspend payments to providers when credible allegations of fraud are being investigated.  These provisions--particularly the suspension of payment during investigations--are likely to have a significant impact on providers in the coming years.  These regulations take effect March 25, 2011.

Although these recovery amounts seem high compared to previous years, health care providers should expect that recoveries may increase even further in coming years with the government's sharpened focus on health care fraud and abuse.

Tags: , , , , , ,

OIG Collects $26 Billion in Health Care Fraud Recoveries and Savings

Posted on December 21, 2010 by Lisa Rothrock

The Department of Health & Human Services ("HHS") Office of Inspector General ("OIG") recently reported in its Semiannual Report that for fiscal year ("FY") 2010 it expected recoveries and savings of approximately $25.9 billion, which includes $3.8 billion in investigative receivables and $1.1 billion in audit receivables.  The other $21 billion included in the total amount includes various cost-saving actions supported by OIG's recommendations in audits and evaluations.  The FY 2010 expected recoveries and savings were more than FY 2009, when OIG reported savings and expected recoveries of $21 billion.

In addition, OIG reported exclusions of 3,340 individuals and entities from participation in Medicare or other federal health care programs in the 2010 fiscal year.  OIG initiated 647 criminal lawsuits and 378 civil lawsuits against individuals and entities for violations of health care laws and regulations.

OIG focused particularly in the Semiannual Report on the successes of its Medicare Fraud Strike Force teams, which coordinate with federal, state, and local law enforcement to investigate health care fraud.  The Strike Force participated in an unprecedented takedown in seven cities that resulted in charges against 94 doctors, health care company owners, executives, and others for more than $251 million in alleged false billing.

Another highlight of fraud enforcement in FY 2010 was the $520 million that AstraZeneca agreed to pay the government to settle alleged false claims violations for kickbacks it allegedly offered to doctors in connection with unapproved uses of AstraZeneca's drug Seroquel.

Tags: , , , , ,

HHS Withdraws HIPAA Breach Notification Final Rule

Posted on August 2, 2010 by Lisa Rothrock

The HHS final rule on breach notification was submitted to the OMB on May 14, 2010, which is typically the final step before the final rule is published. HHS, however, “withdrew” the final rule from the OMB to “allow for further consideration, given the Department’s experience to date in administering the regulations,” as it stated in a notice posted on the HHS website. HHS failed to explain the reason for withdrawing the final rule for further consideration except to note that the breach notification issue is “complex.” 

The breach notification interim final rule issued pursuant to the HITECH Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. According to HHS, during the 60-day public comment period on the interim final rule, HHS received approximately 120 comments.

Many in the industry have speculated that this withdrawal may be related to the controversial “harm” threshold set forth in the rule. Under the harm threshold, a provider only needs to notify patients about a data breach if the provider determines that the breach presents a significant risk of harm to the patients. Critics of the harm threshold contend that all breaches should be disclosed and providers should not have the discretion to make such a risk assessment.

A final rule is expected in the coming months. This withdrawal does not have an impact on the interim final rule.

Tags: , , , , ,

FTC and HHS Issue Breach Notification Rules for Electronic Health Information

Posted on August 21, 2009 by Heather L. Kenney

As part of the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Congress directed the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to issue rules requiring certain entities to notify consumers if there has been a breach in the security of their personal health information. 

The FTC rule applies to vendors of personal health records, which provide online repositories for storage and tracking of health information, and entities that offer third-party applications for personal health records. These applications could include, for example, a blood pressure cuff whose readings consumers can upload to their personal health record. 

The HHS rule, developed by the Office for Civil Rights (OCR), applies to healthcare providers and other HIPAA covered entities.

Under the rules, those entities subject to either rule must notify consumers if there is a “breach” involving their “unsecured” health information. Additionally, if a service provider or business associate of one of the entities has a breach of its own, it must notify the entity, which in turn must notify consumers.

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of protected health information, which results in the compromise of the security or privacy of such information.

Entities that secure their electronic health records through encryption or destruction are not required to provide notification in the event of a breach, as long as they follow HHS guidance on the proper methods of securing information. As an accompaniment to its rule, HHS issued an update to its current guidance (PDF) on acceptable encryption and destruction methodologies, which would render sensitive information unusable to unauthorized individuals. The policy on encryption is technical in nature and entities would be well-advised to have their IT consultants carefully review, and as deemed necessary, implement the HHS guidance.

Notification Requirements:  

In the event that a breach is discovered, an entity subject to either the FTC or HHS rule must comply with certain notification requirements, including the timing, method, and content of notification.

    • Timing: A consumer must be notified of a breach to the security of their information “without unreasonable delay” and in no case later than 60 days after the discovery of a breach.
    • Method: Written notification must be provided to the individual via first-class mail at the individual’s last known address, or if the individual agrees, by electronic mail. Where the entity lacks sufficient contact information, a substitute form of  notice “reasonably calculated” to reach the individual must be issued. If the insufficient information involves less than 10 individuals, notice may be made by an alternative form of written information or by telephone. If the entity lacks adequate information for more than 10 individuals, the substitute notice must be placed in a conspicuous posting for a 90-day period, either on the home page of the website of the entity involved, or in major print or broadcast media in areas where the affected individuals are likely to reside.
    • Content: Notice must include, to the extent possible:

1. A description of the types of information that were involved in the breach (e.g., social security number, date of birth, diagnosis);

2. Any steps individuals should take to protect themselves from potential harm that could result from the breach;

3. A brief description of the steps that the entity is taking to investigate the breach, mitigate harm caused by the breach, and to protect against any additional breaches; and

4. Contact information for individuals to ask questions or obtain additional information. This contact information must contain a toll-free telephone number, email address, website, or postal address.

In addition to the above requirements, breaches involving 500 or more people must provide notice to prominent media outlets serving the state or jurisdiction where the breach occurred. 

Finally, entities subject to either rule must provide notification to the FTC (for non-HIPAA covered entities) or HHS (entities covered by HIPAA). The FTC has provided a standard form(PDF) which can be used to report an incident. This form requests information on the type of breach, the manner in which the breach occurred, the information involved, and what steps the entity is taking to investigate the breach.

The FTC final rule(PDF) will be published in the Federal Register shortly, and will be effective 30 days after publication. The FTC will begin enforcement 180 days after publication.

The HHS interim final rule (PDF) is effective 30 days after publication in the Federal Register (which should be sometime in mid-late September) and includes a 60-day comment period.
Tags: , , , , , , , , , , ,