By Jeffrey Blumengold, FHFMA, Partner, Forensic and Dispute Services, Deloitte Financial Advisory Services LLP and Christopher Panczner, Esq., Legal Counsel, Saint Vincent Catholic Medical Centers and Of Counsel, Epstein Becker & Green

Accelerating health care costs appear to be prompting federal and state regulators to pay ever-closer attention to how health care providers operate. In fiscal year 2007, the federal government alone initiated 878 criminal and 776 civil investigations; it had 1,612 criminal and 743 civil pending investigations; and was successful in obtaining 560 criminal convictions and collecting $1.8 billion in civil judgments or settlements.¹ Regulators are seeking evidence of fraud and non-compliance that significantly contributes to health care costs. Hospital administrators and those who advise them should be alert to recent shifts in the regulatory environment that are making robust, top-to-bottom compliance with both federal and state fraud laws, rules and regulations more important than ever.

Health Care Spending and the U.S. Economy
The health care “spend,” as it is called, has been increasing steadily for some time and is projected to increase significantly over the next few years. At a national level, the projected 2007 health care spend accounts for about 16 percent of the United States’ Gross Domestic Product (GDP). In just a few years, Centers for Medicare and Medicaid Services (CMS) expects it will reach 20 percent of the GDP². At the company level, employers are struggling with how to meet continuing significant health premium increases that they face.

In addition to health care fraud, factors among the population contributing to this inexorable increase in health care costs include aging, epidemic increases in the number of overweight and obese cases among young and old and increases in chronic diseases³. In a June 30, 2008 DLC State & Local Playbook article entitled Fighting Chronic Illness, Pennsylvania Governor Ed Rendell stated, “About 78 percent of all health care costs can be traced to 20 percent of all patients – those with chronic illness.”⁴ The scarcity of qualified medical professionals and the proliferation of procedures that can be performed in a physician office setting or in an outpatient environment can also challenge institutional health care providers when trying to curb their costs.

Changing Environment
For context, the Medicare and Medicaid programs were founded decades ago, in 1965. Since then, employers have experienced dramatic health care cost increases. At the same time, though, the regulatory environment and enforcement environment have changed dramatically. Shifting demographics and health care’s drain on GDP have challenged both federal and state governments to devise ways to contain costs and optimize the value received for expenses incurred.

The same demographic and cost factors drive not only the regulatory initiatives and the legislative initiatives we address below, but they can also impact other governmental initiatives. Some initiatives affecting hospital administration directly include electronic health records and the continual push for greater efficiency within the delivery of health care. Meanwhile, state governments are looking at whether health care resources are deployed optimally. In New York, the Berger Commission on Health Care Issues in the 21st Century issued its sweeping recommendations on restructuring New York State’s hospital and nursing home systems in November of 2006.⁵ New Jersey has followed a similar path, and other states continue to scrutinize health care delivery. Some states (most notably, Massachusetts) have even looked at universal coverage solutions, adding to the complex initiatives at the federal and state level that could affect providers significantly.

Enforcement Initiatives
When states examine the total spend on health care, they also examine fraud detection statistics to see whether they benchmark similar to that of other industries. As a result of this analysis, certain states, like New York, appear to be hiring and training an army of investigators at the present time to bolster examination and enforcement efforts to combat fraud.

For example, for years, CMS noted it had fewer than 10 people exclusively dedicated to Medicaid fraud enforcement. They relied on the state agencies like the Medicaid Fraud Control Units within each state Attorney General’s office. Now, CMS has significant additional funding ($50 million in both fiscal years 2007 and 2008, and $75 million in 2009) to attack systemic fraud, waste and abuse.⁶ As a result, there is a very significant initiative at the federal level, not only to fund more fraud enforcement efforts, but also to create programs that ferret out fraud through data matching, data mining, and where necessary, the hiring of contractors to go out as third parties to look for fraud, waste, abuse, or errors.

In addition, the incentives for reporting fraud – already strong – are increasing. Recovery Audit Contractors (RACs), also known as “RAC auditors,” are third-party contractors hired by CMS who are compensated in part on the basis of the overpayments that they identify. Moreover, RAC auditors are also supposed to look for underpayments (due to erroneous coding) and net those out against overpayments or inappropriate payments. However, RACs are not tasked with identifying civil or criminal fraudulent payments.

In 2005, as part of a three-year pilot program, RAC audits were initiated in California, Florida and New York and conducted by so called “demonstration RACs.” These three states were targeted for the pilot program because of their large Medicare expenditures; however, the RAC program is scheduled to expand nationwide no later than 2010 according to The Tax Relief and Health Care Act of 2006.⁷ The fact that the RACs are in part compensated on the basis of the overpayments that they identify, has caused some concern with the initial three states. The providers in these three states have been questioning whether demonstration RACs are actually trying to identify both sides of the equation because the incentive is so focused on identifying overpayments which proportionately equate to their compensation.

On December 7, 2007, CMS Administrator Kerry Weems, sent a letter to lawmakers, as well as the demonstration RACs, outlining changes to the permanent RAC program.⁸ Among the changes, the permanent program required RACs to have a Medical Director on staff and to refund any associated contingency fees if a determination is overturned at any stage of appeal. Previously, the demonstration RACs were only required to pay back their contingency fees if they lost a first-level appeal and not at subsequent levels in the appeal process.

Meanwhile, the states appear to be increasing enforcement. In New York, for example, the recently formed New York Office of the Medicaid Inspector General (NYOMIG) is led by Jim Sheehan, a former U.S. Attorney with a history of seeking out and reaching settlement for health care fraud. In 2006, NYOMIG and the Center for Medicare and Medicaid Services’ (CMS) entered into a Federal-State Health Reform Partnership in which the federal government agreed to invest $1.5 billion over the next five years or $300 million annually if NYOMIG’s fraud and abuse recoveries meet mandatory goals. These goals start in fiscal year 2008 at $215 million or .5 percent of NYOMIG’s “computable Medicaid expenditures” and increase each year of the five year demonstration period to $644 million or 1.5 percent. If NYOMIG is not successful, the state of New York will have to pay the federal government the lesser of the dollar difference between actual and target recoveries or the total claim to federal monies not to exceed $500 million.⁹ Given the need to identify large sums, the assumption is that the NYOMIG will be looking at particular groups within the industry – academic medical centers, pharmaceutical manufacturers, and managed care companies, for example – where NYOMIG has already begun requesting information and developing background for potential recoveries.

To put all of this in perspective, the amount of money recovered through this detection program in the prior year was only $70 million. Yet, the state will have to recover $470 million the first year alone in order to retain the federal government’s subsidy of $300 million a year for the first year of the five years. That is a startling difference, which could lead to much more scrutiny and at a minimum, potentially much more focused attention on the day to day business habits of the health care industry. Clearly, to achieve these targeted goals, the state may have to accelerate its efforts now and into the future.

In addition, the NYOMIG has several tools to work with, including:

• Legislatively, the New York False Claims Act (FCA) allows for the recovery of treble damages, so for every fraudulent or false claim that is submitted, the potential recovery can be three times the amount assessed.
  
• There are “whistleblower” protections against retaliation under that FCA statute, and we are seeing an increase in reporting by employees and others. Especially given that such statutes commonly award up to 30 percent of the funds recovered through a fraud or waste investigation to be paid to the whistleblower reporting it.
  
• The increased use of computers and technology to perform data mining and data matching to identify patterns and potential areas of abuse that may not have been apparent before. The NYOMIG is working with different contractors to start data mining, comparing Medicare and Medicaid data, as well as data filed in the public domain, with the IRS hospitals’ Form 990s.
  

Health care providers that get data requests from regulators should work with their lawyers and consultants to gather and organize data to preserve defenses. Even before a request is made, it is critical to have processes in place designed to facilitate data collection and track the type of data that regulators may seek.

The “Medicare Outlier” Issue
Over the past several years, the Department of Justice (DOJ) has conducted numerous investigations into whether health organizations have adjusted their Published Fees (Charges) so as to generate additional payments under what is known as the “Medicare Outlier” payment formula. In many cases, the organizations that are being investigated needed the assistance of teams of attorneys, consultants, and accountants to appropriately prepare to defend their actions and to the extent necessary, negotiate with DOJ in reaching a settlement.

Many of those investigations have resulted in multimillion dollar settlements, some of which are 501(c)(3), i.e., non-profit organizations. Given the size of some of the settlements, an organization could be placed in severe financial strain, potentially jeopardizing their ability to operate and meet the health care needs of their community.

Fair Market Value

Fair market value is the key part for many of the laws and regulations that govern relationships among health care industry participants. One principal federal statute is the anti-kickback statute, which prohibits the payment of any remuneration, cash or in kind, directly or indirectly, in exchange for referrals or business that could be reimbursed by Medicare or Medicaid. Under the anti-kickback statute, the government must prove that remuneration was paid or merely offered with the intent to induce referrals. Another critical federal statute for the health care industry is the Stark Law, also known as the “Physician Self-Referral Law.” Under the Stark Law, a physician or his/her immediate family member is prohibited from making referrals for certain types of health services for which Medicaid or Medicare payment may be made to a health care entity if the physician or immediate family member has a financial relationship¹⁰ with the entity, unless an exception applies. Some significant exceptions include employment, fair-market-value space or equipment leases and service contracts. Unlike the anti-kickback statute, intent is not relevant to the Stark Law. These two statutes are designed to prevent situations where a physician’s or a provider’s financial interest outweighs the best interest of the patient. Critical to this analysis is whether goods or services have been provided at fair market value, which can be complex.

How do you place a fair market value on what is supposed to be an arm’s-length arrangement between a physician or vendor and an organization? It takes a good deal of baseline knowledge, credible data and hands-on experience to assist organizations in understanding how business is conducted in the market and how to attribute and evaluate fair market value to business transactions, such as leases or compensation agreements.

Privacy and Security
One of the key components of legislation for privacy and security of individually identifiable and protected health information is the Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996. The federal Department of Health and Human Services (HHS) published national standards relating to HIPAA Privacy and Security, which were finalized in 2002 and 2003, respectively. Despite these efforts to increase the protection of individually identifiable and protected health information, recent events in the news repeatedly demonstrate the vulnerability of electronic transmissions of private and sensitive health information. The potential for widespread dissemination and abuse of this information is a real concern. HHS noted, “The same technological advances that make possible enormous administrative cost savings for the industry as a whole have made it possible to breach the security and privacy of health information on a scale that was previously inconceivable.”¹¹

What happens when a laptop containing confidential patient information is lost or stolen? What happens when data sent over the internet is intercepted? What happens when a hacker breaks into your servers and accesses information? In such instances, HIPAA law, the main federal law protecting the privacy and security of protected health information, as well as applicable state “breach notification” laws have been violated. “Breach notification” laws require notice be given to the affected patients after a privacy breach, where unencrypted or private personal information is compromised by unauthorized access. In many cases, states’ Attorneys General are empowered to take certain steps to remedy the problem.

Moreover, once there has been a privacy and security breach, like a stolen laptop for example, the organization may become the subject of an inquiry by HHS’s Office of Civil Rights (OCR). In preparation for this inquiry, as well as for the health care entity’s peace of mind, the entity should, among other things, determine how the breach occurred, when it occurred and what data may have been compromised. Needless to say this can be a daunting task. Once the scope of damage is determined, the affected patients must be notified – also a daunting task. Therefore, risk mitigation for breach of privacy and security should unquestionably be a part of the discussions health care administrators should be having regarding HIPAA violations.

HIPAA requires health care providers to name a “HIPAA privacy official” responsible not only for developing and implementing HIPAA compliance policies, but also for investigating complaints so that appropriate remedial action can be taken. Often, that person needs a technology background – more specifically, one that includes experience with health care information flows. That can make it more difficult to identify and recruit the right candidate to help strengthen risk management in the privacy area.

When it comes to HIPAA privacy and security, one of the biggest liabilities and one of the biggest risks can be to an organization’s reputation, particularly given the much more competitive marketplace in health care today. The HHS OCR has generally focused on training, teaching, and solving problems, rather than adopting the HHS’ Office of Inspector General’s (OIG)  approach of seizing computers and records. Although the OCR may not have the same influence as the OIG or the IRS, an investigation by the OCR can still pose a huge reputation risk to health care entities that experience a breach.

Although the privacy protection of the HIPAA statute may be used as a basis for a typical negligence suit, the statute cannot be applied in an independent, private cause of action for injured parties. In any event, HIPAA is a work in progress and compliance is a concern for many providers, though usually more challenging for smaller providers such as community hospitals and nursing homes, given their resource constraints.

Unintentional Noncompliance
Operating an organization within the health care industry can be like having three different customers with three sets of unaligned rules to comply with when selling your product or service. Providers must meet the requirements for those three specific customers (e.g., Medicare, Medicaid, and commercial insurance), even when their regulations conflict. Even in the best-run, most-compliant organizations, a third party review of the organization’s business relationships, accounting records and e-mail, could possibly result in the identification of potentially fraudulent claims or other errors or omissions that may otherwise form the basis for a claims investigation.

Compliance Issues
Health care compliance can prove to be challenging to health care companies. Several of the most challenging areas include:

• Accounts receivable management: Developing, using, and showing compliance with a published fee schedule can be surprisingly complicated. Coding services properly to avoid both over-charging and under-charging can be part art, part science, and finding capable coders who understand the nuances of the regulations can be difficult.
• Relationships with third parties: Relationships, whether between a physician and a vendor, between a hospital and physicians, or between a hospital and vendors, may be scrutinized to determine whether they are based on arms-length business market value. Those relationships should be evaluated in the light of increased regulatory scrutiny by both health regulators and the IRS.
• Form 990 disclosure for nonprofits: The IRS appears to be focusing with great intensity on how 501(c)(3) organizations operate – and whether their services constitute a “charitable purpose” that deserves tax exemption. The recent significant enhancement of the disclosure required on IRS Form 990s highlight this concern. Among many other details, these new forms call for much fuller disclosure of executive compensation – and Form 990s are available to the public.
• Property tax exemptions for nonprofits: States are increasingly looking at whether the property tax exemptions for hospitals and charitable organizations are appropriate. An Illinois hospital recently lost its property tax exemption, a huge benefit to a non-profit organization. The basis for the challenge was the IRS’s determination that there was neither enough charitable care being provided, nor enough community benefit being derived to justify the tax exempt status.

In particular, tax-exempt bond financing is the other area that the IRS appears to be actively scrutinizing. For years, institutions have used tax-exempt bond financing to raise capital to build buildings and acquire equipment. Those bonds require certain ratios and commitments to be satisfied in order for the bonds to be tax exempt. If the IRS revokes an institution’s 501(c)(3) status, a complete refinancing of a health provider’s bond issue could be required.

The Fraud Spectrum
Fraud can take many forms, including some of the following examples:

• A health care provider chooses to do significant business with a local printing company because of an undisclosed relationship between someone at the printing company and a member of the health care provider’s Board of Directors or management. Had the printing work been procured through an appropriate bidding process, the conflict of interest and inflated price for services could have been avoided.
  
• Leases for space or equipment may be negotiated at rates that are lower than fair market value providing the physician with a discount on rent in exchange for patient referrals. The opposite is also true when higher than fair market value prices are used as a vehicle to provide compensation to physicians in exchange for referral of their patients. For example, a group of physicians may own an office building which houses doctors’ offices where they see their private patients. Because of the office building’s close proximity to the hospital, the hospital agrees to lease space at above market values from the physicians’ group to operate an out patient clinic. In exchange for the premium rent, the physicians agree to make referrals to the hospital.
  
• “Quality of Care” issues arise when a health care entity’s staff member bills for services as if they were provided, when in fact they were never provided, partially provided or provided, but worse yet, not medically necessary. These issues are all important to the OIG.
  
• In the clinical setting, there may be double billings for services never provided. For example, billings may exist for a patient on two separate dates, when the patient was treated only on one of the dates. There have also been instances where billings were submitted for deceased individuals.
  
• Systemic fraud may arise in situations where a physician’s arrangement exists between a physician and the hospital to which he/she refers patients. The physician receives payments for providing administrative services, teaching services or perhaps, consulting services to the hospital. However, the level of actual services provided by the physician is not, upon close examination, well documented or considered commensurate with the payments received. Physician arrangements have at times been used to “cover-up” the underlying agreements to pay remuneration in exchange for patient referrals. If the payments to the physicians were intended to induce referrals, the anti-kickback statute has likely been violated. These situations raise fair market value concerns. Similar situations may exist between that of physicians and manufacturers of medical devices. For example, a physician receives payment for consulting services and in exchange promotes the use of the manufacturer’s medical device, sometimes exclusively.

Red Flags
Some of the red flags may include:

• A health care organization having trouble meeting its bond covenants may be tempted to cut corners by recruiting physicians who can deliver more patient volume and/or a higher case-mix, but not necessarily provide sufficient additional resources to ensure that the level of service needed to support that additional volume is there.
  
• Health care organizations are very labor intensive, so they often outsource staffing of particular areas, such as staffing necessary for certain home health care services and staffing aides. The less direct control health care organizations have over patient services, the more opportunity there is for fraud.
  
• When an investor wants to invest in a health care entity or business, the investor will frequently conduct the due diligence to determine whether the targeted company has a “culture of compliance.” Either compliance is a part of its culture, something that runs throughout its systems and processes and in which the Board, CEO and management have a vested interest and have created that “tone at the top” or, it may be more desultory – with a nominal compliance officer who does not really report to the board or CEO, does not really have a role, and is not really active and involved. Without a true culture of compliance, a health care organization is more vulnerable to fraudulent behavior and reporting non-compliance.
  
• Within the home health care field, reimbursement can be enhanced based on the provision of physical therapy services above a certain threshold. For instance, if the prescribed level of treatment is eight therapy treatments, but an extra $2,000 can be billed at the 10 treatment visit level, there is an inherent incentive to reach that level of service, whether definitively indicated or not.

Leading Practices

Leading practices start with good corporate governance and the premise that the board is an organization’s steward and ultimately responsible for regulatory compliance. This top-down corporate culture of compliance could be a good solution especially if coupled with Sarbanes-Oxley rules.  These rules, which apply to public companies, provide an excellent template for engaging a corporate board. Although non-profits, 501 (c)(3)s in particular, are exempt from Sarbanes-Oxley, the statute embodies good leading practices that can strengthen corporate culture, which non-profits can electively adopt. Another good governance template can be found in some of the HHS OIG’s “Corporate Integrity Agreements,” which require certain corporate governance practices such as compliance and various reporting programs. In addition, the new IRS Form 990 also requires organizations to disclose policies and procedures for dealing with “Conflicts of Interest” and “Whistleblower” claims, as well as “Hospital Governance” and “Independence.”

Effective, ongoing compliance education is essential and will not be accomplished in a 20 minute commercial about leading practices. Education can make a difference if the result is embedding compliance leading practices in the way employees think and act. Employers need to educate and encourage employees to report alleged wrongdoing or behavior they believe to be suspicious or questionable, even if they are unsure. Employers should also make clear to employees reporting potential problems that these matters will be investigated and that the individual reporting the matter will be protected against adverse personal consequences by the organization’s non-retaliation policy. This is the type of environment that both federal and state regulators are trying to inculcate.

Responding to a “Knock at the Door”
If an organization is contacted by federal or state regulators or law enforcement, it can be critical to be cooperative. It can be equally critical to engage counsel and advisors in the process immediately. Employees should be trained that when they are contacted, either in person or on the telephone by a regulator or the Attorney General’s Office, they should request management or the provider’s legal counsel be present. It should also be noted that union employees may have the right to have a union representative present during interviews.

It is important to determine what is being requested specifically – its form, its deadline, its formality, and whether it is provider-specific or industry-wide (if the latter, an industry group may be able to provide support). Additionally, employers should train employees to recognize that there is a time and place for response.

There is a fine balance between under-reacting and over-reacting. It’s important to engage professionals who have dealt with the various regulators who come knocking. Experienced professionals who have been through investigations before can help tell whether requests are reasonable and how best to address them. They also can bring credibility to the table and help explain complex situations that may otherwise appear unreasonable.

It is also essential to institute a document retention policy. You do not want to inadvertently destroy documents as part of policy once you are aware of an investigation. It is also suggested that you have document retention notices drafted in advance, so you are in a position to issue them immediately upon commencement of an investigation.

The compliance challenges in the near future will likely be greater. Health care providers have heard for years from lawyers and consultants that they should be compliant, that they should have certain processes and safeguards in place. To some extent, health care entities have put some helpful systems in place, but the environment has since shifted.

Smaller organizations may lack the infrastructure to put appropriate preventive measures in place. They appear to be struggling to deliver health care services that the community needs, and they may not have the budget or skilled personnel necessary to support an Internal Audit function, a Compliance Officer or a Privacy Officer.

For larger organizations, not only should strict compliance receive a high priority in the budget process so that sufficient resources are devoted to it because of the shifting environment, but the need to comply fully with all relevant federal and state regulations must be understood and “owned” by the Board of Trustees, CEO and management.

In a period of enhanced oversight, regulation and government enforcement initiatives, health care organizations could be at high risk and should consider evaluating their current corporate governance and compliance programs and implementing improvements to reduce the risk, where possible to do so.

Related Content: 
Video: The Current and Evolving Health Care Compliance and Fraud Environment

---

1. PR Newswire - Press Release Fact Sheet: Department of Justice Efforts to Combat Health Care Fraud and Abuse, May 28, 2008.
2. Data from the National Health Expenditure Accounts (NHEA) prepared by the Office of the Actuary, Centers for Medicare and Medicaid Services, U.S. Department of Health and Human Services.
3. In 2002, the percentage of Medicare spending on chronic conditions was 95% and the percentage for Medicaid was 77%. R.L. Mollica and J. Gillespie, Care Coordination for People with Chronic Conditions, January 2003, as quoted in a report by the National Governors Association, “Healthy Aging and States: Making Wellness the Rule, Not the Exception,” 2004, retrieved May 7, 2008.
4. Fighting Chronic Illness, June 30, 2008.
5. Report available at www.nyhealthcarecommission.org/final_report.htm.
6. Report available at www.cms.hhs.gov/DeficitReductionAct/Downloads/CMIPupdateaugust2007final.pdf.
7. Report available at http://ensign.senate.gov/issleg/legislation/pl109-432.pdf [Section 302].
8. CMS Acting Administrator Kerry Weems’ December 7, 2007 letter referenced at www.ahanews.com (December 11, 2007)
9. New York State Office of Medicaid Inspector General, 2006 Annual Report, pages 26 and 27.
10. Under the Stark Law a financial relationship can be direct or indirect and may be an investment, ownership interest or a compensation arrangement.
11. See Department of Health and Human Services , Office of the Secretary, 45 CFR Parts 160 through 164, page 28 at link http://aspe.hhs.gov/ADMNSIMP/final/PvcPre01.htm.