The ROADMAP to
COMPLIANCE
The Importance of Staying Current
on Your Compliance Efforts
September 5, 2013
Presenter:
Debra A. Geroux, CHC
WHY Do I NEED a Compliance
Program?
• To identify common roadblocks to an effective
compliance program
• To learn how to test the effectiveness of a program
• To identify ways to strengthen and encourage staff
participation in the program
Why Do I NEED a Compliance
Program? (cont.)
Increased DOJ, OIG & OCR Enforcement
Consumers are more Knowledgeable and Active
Whistleblowers
Federal Sentencing Guidelines
Criminal, Civil and Administrative Penalties
Top-Down Liability—Corporate Responsibility
and Director Liability
• Heavy Fines & Penalties
• Regulatory Exclusion is a Corporate Death
Sentence
•
•
•
•
•
•
So what is “Compliance”?
 “A successful compliance program addresses the public
and private sectors’ mutual goals of reducing fraud and
abuse; enhancing [health care providers’] operations;
improving the quality of health care services; and
reducing the overall cost of health care services.
Attaining these goals benefits the [healthcare industry],
the government, and patients alike. Compliance programs
help [healthcare providers] fulfill their legal duty to
refrain from submitting false or inaccurate claims or cost
information to the Federal health care programs or
engaging in other illegal practices.
~OIG Compliance Supplemental Program Guidance for Hospitals (January 31, 2005),
https://oig.hhs.gov/fraud/docs/complianceguidance/012705HospSupplementalGuidance.pdf
So what IS it Exactly?
• A compliance program is a management
system for preventing inappropriate conduct
within an organization. It provides guidance
and support across the organization for
employees to make appropriate decisions
regarding both clinical and business
practices, decisions and behaviors
Challenges to Building an Effective
Compliance Program
• Management Challenges
– BOD & Managerial Buy-In
– Company-Wide Commitment & Cooperation
– Acceptance of the CP—internally & externally
– Understanding of each person’s Role in an
Effective Program
Challenges to Building an Effective
Compliance Program (cont.)
• Administrative Challenges—Sufficient
Resources
– Resources—Time & Money to Keep Current with
Changing Laws & Regulations
– Consistent Enforcement/Monitoring/Evaluation
– Anonymous Reporting capabilities
– Thorough Education and Training of ALL
– Employee Awareness and Understanding
– Timeliness of Investigations and Follow-Up
OIG Major Compliance Areas
• False claims, kickbacks and referrals.
• Fraudulent reimbursement activity.
• Proper Coding, billing and documentation,
including strict adherence to Waiver and Write-off
Policy
• Patient Privacy Rights and HIPAA Compliance
• Quality of Care
• Contractual Joint Ventures
• Home Health Agencies
Compliance Program—Sources
US Sentencing Guidelines—USSG § 8B.2—
• adopted in 1991,the USSG still provide leniency for health care
providers who adopt compliance programs (reduced penalties
where there is an effective CCP
• An effective CCP may reduce the chance of a qui tam (whistleblower) lawsuit
• Compliance Programs Can Work to Identify and Address
Problems Before A Catastrophic Stage Is Reached
2010 Amendments to USSG
In 2010, the United States Sentencing Commission amended the USSG to further
strengthen the role of the compliance officer. Under the Amendments, in order for
a corporation to be eligible to receive a reduced sentence, the following MUST be in
place at the time of a potential criminal act:
•
CO should have a "direct reporting obligation" to the board or subgroup thereof
–
–
•
•
•
•
Promptly in cases of criminal or potential criminal conduct , and
At least annually regarding implementation and effectiveness of the entity’s compliance
program
Compliance Program detected the criminal conduct before it was discovered or was
reasonably likely to be discovered outside of the organization (i.e., by regulators);
The organization promptly reported the offense to the federal government;
No corporate compliance officers were involved with, condoned or were willfully ignorant
of the criminal offense; and
The organization conducted an assessment of its existing compliance program, including
modifications to the program as may be appropriate to prevent the occurrence of similar
conduct.
Compliance Program—Sources (cont.)
OIG Compliance Guidance—12 IndustrySpecific Guidance
◦
◦
◦
◦
◦
◦
◦
◦
◦
◦
◦
◦
Hospitals (1998 / Supplemental issued 2005)
Home Health Agencies (1998)
Clinical Laboratories (1998)
3rd-Party Medical Billing Companies (1998)
DME-POS Industry (1999_
Hospice (1999)
Medicare+Choice Organizations (1999)
Nursing Facilities (2000 / Supplemental issued 2008)
Individual and Small Group Physician Practices (2000)
Ambulance Suppliers (2003)
Pharmaceutical manufacturers (2003)
Recipients of PHS Research Awards (Draft issued 200
The 7 8 Elements of an Effective
Compliance Program
• Historically:
1. Written policies and standards of conduct
2. Designation of compliance officer and special
counsel
3. Effective training and education
4. Effective lines of communication
5. Enforcement of standards through publicized
disciplinary guidelines—consistency
6. Regular internal monitoring and auditing
7. Responding to detected offenses, developing
corrective action plan
Element 1—Implementing written policies,
procedures and standards of conduct
• Codes of Conduct—how people should act and
known risks in your organization/industry
• Look to OIG Corporate Integrity Agreements for
guidance on what has been imposed on others in your
industry
• Tailor to general population & specific departments
• Identify specific conduct requirements and sanctions
for violations
• Accessible to employees—post on company website or
provide with employee manual
Element 2—Designate a Compliance
Officer & Compliance Committee
• WHO will be responsible/accountable—CCO
• DIRECT access to the TOP (senior level officers
and BOD)
• Separate from General Counsel
• Accessible to All employees
• Responsible for Oversight and Monitoring—
includes updating program as risks/laws require
• Formalized Compliance Committee (charter
outlining roles & responsibilities)
Element 3—Effective Training & Education
• Initial Training– Within first days of Employment
• On-Going Training—at least ANNUALLY
• General & Job-Specific (i.e., HIPAA compliance for
all, versus billing compliance for A/R)
• Remedial Training
• Agents & Contractors need training, too!
• In-person or On-line—don’t just give them a manual
and assume they will read it!
• DOCUMENT all training and education.—Who,
What, When, Where & How (and sometimes WHY).
Element 3—Education & Training (cont.)
• §6032 of the Deficit Reduction Act—Mandatory
Employee Education About False Claims Act Recoveries
o Applies to an entity including organizational units (a governmental
agency, organization, unit, corporation, partnership, or other
business arrangement) and individuals that receives or makes
Medicaid payments totaling at least $5 million annually
o Requires establishing written policies for all employees
(including management), and of any contractor or agent of the entity
Required to be incorporated in State’s Provider Enrollment
Agreements
o Michigan State Plan adopted amendment in August 2007
o “Certification of Compliance” form sent to effected providers in FY
2007
DRA § 6032-Written Policy
Requirement
• Written Policies must provide detailed information about four
major topics:
o
o
o
o
the federal False Claims Act;
administrative remedies for false claims and statements;
any civil or criminal penalties under state false claims laws; and
whistleblower protections under federal and state law.
o Policies and materials must explain the role these laws play in
preventing Medicaid fraud and abuse and describe the "entity's
policies and procedures for detecting and preventing fraud, waste,
and abuse.“
o Employee Handbook must be modified to include a specific
discussion of the these topics.
Element 4—Developing Effective Lines
of Communication
• Open Communications—Employees should
know WHO to report to and HOW to Report
Issues
• Anonymous Tip Line
• Anti-Retaliation Policy—Whistleblower
Protections
• Mechanism for Notification of Changes in Policy
(i.e., post in common areas, discuss at training,
post on intranet or company website)
Element 5—Enforcing Standards through
Well‐Publicized Disciplinary Guidelines
• Potential Consequences CLEARLY Identified
(tiered system based on nature of
misconduct, i.e., warning, suspension or
termination)
• CONSISTENCY of Discipline—regardless of
WHO is non-compliant (i.e., top-down
application)
• REWARD Positive Behavior, too!
Element 6—Internal Monitoring &
Auditing
•
•
Self-monitoring (management tool for daily operations)—Not
formalize/independent. Used to identify risk areas and see how operations are
progressing (i.e., new rules)
Auditing—Formalized process (Internal and external) when need for objective
results and integrity is critical
–
•
Frequency—at least annually (formalized audit)
–
–
–
•
•
Formalized and Independent
Billing Audits should be more frequently to detect potential “Overpayments”. Spot check sample of
30 per month
“Overpayments” not returned promptly (60-days) are subject to FCA Liability as “obligation”
under Section 6402(a) of the ACA
If no underlying illegality, voluntary refund and report to MAC is appropriate
Create and follow a schedule for periodic audits
Understand
Element 7—Responding promptly to detected offenses
and developing corrective action
•
•
•
PROTOCOL for investigating reported violations/non-compliance
Prompt, thorough and consistent investigation and resolution
Reporting protocol (i.e., Self-Disclosure Protocol, over-payments, etc.)
o
April 2013 Updated OIG’s Provider Self-Disclosure Protocol
o Applies to AKS/CMP Laws—CMS protocol for Stark Violations
o Guidance for filing specific types of Self-Disclosure—false billing, excluded persons and
potential AKS/Stark violations, along with calculations for applicable damages
o OIG will not demand an admission of liability in settlement agreements but will expect
payments above single damages, with an minimum multiplier of 1.5 times the single
damages.
o Minimum settlement penalties:
o $50,000 for all kickback-related violations accepted into the SDP
o $10,000 minimum settlement for all others accepted SDP matters.
o “Streamlined" internal process to reduce the average time a case is
pending to less than 12 months from acceptance into the SDP
Element 8—Conducting on‐going risk
assessments
• Newly Mandated by the ACA
• Previously was strongly suggested
• Periodic Review and update—at least
annually
• New York State Office of Medicaid Inspector
General (OMIG) Compliance Program
Assessment Tool, www.omig.ny.gov
The 8th Element under the Affordable
Care Act (ACA), P.L. 111-148
• §6102 of the ACA—SNF / NF required to develop a
compliance and ethics program and participate in a quality
assurance and performance improvement program by
March 23, 2013.
• In addition to 7 listed Elements of the OIG Compliance
Programs, ACA solidified an 8th Element—Assessment!
• Conceptually old, but now a Mandatory Element.
• Under the ACA, the organization must periodically
undertake reassessment of its compliance program to
identify changes necessary to reflect changes within the
organization and its facilities.
• Consistent with Amended USSG
Additional Mandatory Compliance
Programs under the ACA
• §6401(a)(7) of the ACA
o Compliance program as a Condition of Enrollment
o The Secretary of HHS in consultation with OIG to work on “core elements”
o 42 C.F.R. Parts 422 & 423—Compliance Programs for Medicare Parts C
(Medicare Advantage) and Part D (Prescription Drug Benefit Program ).
o Final Rule: Medicare Program; Policy and Technical Changes to the
Medicare Advantage and Prescription Drug Benefit Program, 75 F.R.
19678 – 19826 (April 15, 2010), available at:
http://www.gpo.gov/fdsys/pkg/FR-2010-04-15/pdf/2010-7966.pdf
o CMS Compliance Program Guidelines for Medicare Advantage
Organizations (MAO) and Prescription Drug Plans (PDP), effective July 20,
2012), http://www.cms.gov/Medicare/Prescription-Drugcoverage/PrescriptionDrugCovContra/Downloads/Chapter9.pdf.
Certification of Compliance—A New
Tool for Effectiveness (and liability)
•
OIG ‘s “Management Accountability and Certifications” by “Certifying Employees”-Eli Lilly Co CIA
“For each Reporting Period, each Certifying Employee shall sign a certification that states:
"I have been trained on and understand the compliance requirements and responsibilities as they relate to
(department or functional area), an area under my supervision. My job responsibilities include ensuring
compliance with regard to the department or functional area.) To the best of my knowledge,_ (insert name of
except as otherwise described herein, the (insert name of department or functional area) of Lily is in
compliance with all applicable Federal health care program requirements, FDA requirements, and the
obligations of the CIA.”
•
“Certifying Employees” include:
–Lilly President & CEO
–Executive Vice President, Global Marketing & Sales
–Lily USA :
•President, U.S. Operations;
•Senior Vice President, Account-Based Markets;
•Senior Vice President, Health Care Professional Markets;
•Vice President, Chief Marketing and Operations Officer;
•All national and executive sales directors, brand leaders, and business unit leaders in the HCP Markets,
•Executive Directors and directors in Account-Based Markets, and
•Executive directors and directors in Marketing and Operations
NY OMIG Certification of Effectiveness
Joint
Comm’n
27
New DOJ Initiative-ADA Compliance
• Barrier Free Health Care Initiative
–
–
–
–
Civil Rights Division of DOJ & USAO
ADA Enforcement
Targets Discrimination in Access to Medical Care & Facilities
Goals:
• effective communication for people who are deaf or have hearing loss
• physical access to medical care for people with mobility disabilities
• equal access to treatment for people who have HIV/AIDS.
– 19 Settlements Since October 2011
Source: http://www.ada.gov/usao-agreements.htm
Barrier Free Settlements
• Trinity Regional Medical Ctr & Trinity Health
Systems (April 10, 2012)
– Restitution of $198,000 to victims
– $20,000 CMP to United States
– Mandatory Employee Training—
• Immediately within 90 days and annually thereafter
– Creating and updating Policies & Forms
– Reporting Requirements
• Log of Accommodation Requests
• Log of Complaints—Notice to DOJ within 7 days
• 6-month reports to DOJ of Compliance Efforts
Source: http://www.ada.gov/trinity.htm .
Other Barrier Free Settlements
• Henry Ford Health System (February 1, 2012)
– $70,000 Compensation to Surviving Complainants
– Training, Updated Policies & Reporting Requirements
• The Heart Center of Memphis (June 27, 2013)
– $5,000 Compensatory Damages to Victim
– $1,000 CMP
– Training, Updated Policies & Reporting Requirements
• Center for Orthopaedic & Sports Medicine (April
1, 2013)
– $15,000 Compensatory Damages for Victims
– Training, Updated Policies & Reporting Requirements
Source: http://www.ada.gov/usao-agreements.htm.
Joint Commission’s Top 5 NonCompliant Requirements in 2013
Legal Impetus for Effective Compliance
False Claims Act (FCA)
Anti-kickback Statute (AKS)
Physician Self-Referral law (Stark”)
Civil Monetary Penalty Law (“CMP Law”)
OIG Exclusion Authority
Responsible Corporate Officer Doctrine
(RCOD)
• HIPAA/HITECH
•
•
•
•
•
•
The Government’s Arsenal for Fighting Fraud--the
federal False Claims Act, 18 USC §§3729-3733
•
Main Provision for Liability: Section 3729(a)(1)(A) - (G)
o
o
o
o
o
Subsection (A)—knowingly submits a false claim to the government or causes another to submit a
false claim to the government
Subsection (B)--knowingly makes a false record or statement to get a false claim paid by the
government.
Subsection (C)—Conspiracy to violate the FCA
Subsection (G)—”Reverse” False Claims—knowingly retain money owed to the government
(retaining monies from improperly paid claims)paid in error by the get money from the
government, but to avoid having to pay money to the government.
Subsections (D), (E), and (F) are rarely invoked.
o PPACA greatly expanded the reach of the FCA by essentially eliminating the
jurisdictional bar for qui tam relators (whistleblowers) and limiting “public”
disclosure to those made only to federal government.
o Damages & Penalties—Between $5,500 - $11,000 for each claim plus treble
(3x) the government’s damages—in no instance will government settle for less
than double damages if self-disclosure is made.
False Claims Act Risks-Reckless Disregard
Ineffective Compliance Programs create requisite intent for
FCA liability—the Medco, Caremark and Novartis cases
US ex rel Hunt et al v Merck-Medco Managed Care, 336 F Supp 2d 430 (ED PA
2004)
o
FCA action related to Medco’s mail-order pharmacy services to federal employees
o
First Complaint by government (intervention in qui tam) that included claim that lack of an
effective compliance program constituted reckless disregard to sustain FCA action
o
“Plaintiffs have sufficiently alleged that Medco submitted its false claims knowingly under this
definition. At the very least, the Government has claimed that Medco's compliance programs
were either non-existent or insufficient, in satisfaction of the ‘reckless’ requirements of §
3729(b).” 336 F.Supp.2d at 441.
FCA and the Conditions of Payment
USA ex rel Spay v Caremark (ED PA December 20,2012):
•
“Part D plan sponsors must . . . [c]ertify in their contracts that they agree to comply with all federal laws and regulations
designed to prevent fraud waste and abuse. 42 CFR 423.505(h)(1)”
•
“[A]s a condition for receiving payment, a Part D sponsor must certify the accuracy, completeness, and truthfulness of all
data, including claims data, related to the requested payment from the government. When that claims data is generated
by a subcontractor of a Part D Sponsor, such as a PBM, the subcontractor must similarly certify, as a condition of
payment, the truthfulness, accuracy, and completeness of the data.”
•
“This interpretation (i.e., that the data certification is a condition of payment) finds support in CMS's Prescription Drug
Benefit Manual. Section 80.1, entitled ‘The False Claims Act,’ specifically references section 423.505(k)(3) and provides
as follows:
o Sponsors should devise their compliance programs so that their policies and procedures are consistent with the
Federal Civil False Claims Act . . . When submitting claims data to CMS for payment, Sponsors and their
subcontractors must certify that the claims data is true and accurate to the best of their knowledge and belief
[footnote referencing section 423.505(k)(3)]. The False Claims Act is enforced against any individual/entity that
knowingly submits (or causes another individual/entity to submit) a false claim for payment to the Federal
government.
o “The plain import of this language suggests that 42 CFR 423.505(k)(3) was designed precisely to make a
subcontractor's certification of the truthfulness, accuracy, and completeness of claims data a condition of payment.
Further, it indicates that false certification by a subcontractor of this information, which ‘causes’ the Part D Sponsor
to submit a false claim for payment to the government, is grounds for an FCA claim.
False Certification of Compliance
Recent decisions discussing the false certification theory of liability and the related issue of intent include:
•
•
•
•
•
•
United States ex rel. Chesbrough v. Visiting Physicians Ass’n, 655 F.3d 461 (6th Cir. 2011)(in order to plead
and prove “falsity” under the implied false certification theory, relators must establish that a statute or regulation
conditioned payment on compliance.)
United States ex rel. Wilkins v. United Health Group, Inc., 659 F.3d 295 (3d Cir. 2011) (ruling that
compliance with Medicare marketing regulations was not a condition of government payment under federal health
insurance programs, but that submitting claims to these programs while violating the AKS was actionable under the
FCA).
United States ex rel. Steury v. Cardinal Health, Inc., 625 F.3d 262 (5th Cir. 2010) (refusing to base FCA
liability on the allegation that claims for payment for allegedly defective intravenous fluid pumps were “false” because
they violated an implied warranty of merchantability).
Science Applications Int’l Corp. v. United States, 626 F.3d 1257 (D.C. Cir. 2010) (explicitly accepting the
implied false certification theory and noting that liability under this theory could be based on plaintiff’s showing that the
contractor “withheld information about its noncompliance with material contractual requirements”).
Rodriguez v. Our Lady of Lourdes Med. Ctr., 552 F.3d 297, 304 (3d Cir. 2008) (finding that to state a claim
under the false certification theory, “it is necessary to allege not only a receipt of federal funds and a failure to comply
with applicable regulations, but also that payment of the federal funds was in some way conditioned on compliance with
those regulations").
United States ex rel. Conner v. Salina Reg'l Health Ctr., 543 F.3d 1211 (10th Cir. 2008) (hospital's
certifications in annual cost reports to Medicare that it was in compliance with all applicable Medicare statutes and
regulations were not false certifications that violated the FCA because they were sweeping, general certifications that did
not violate specific conditions of payment).
Implied Certification and the FCA
• Implied certification is a rule of construction that generally
means that a claim for payment to the government (i.e. to
Medicare, Medicaid, or CHIP) is legally false if that party had, and
failed to meet, an ongoing obligation to comply with an
underlying law — regardless of whether that party submitted a
claim that was false on its face or expressly certified compliance
with that law when it submitted the claim.
• Implied Certification revived under the ACA—The ACA’s
amendment of the FCA to add violations of the AKS as a basis for
FCA liability essentially solidifies the implied certification theory.
Previously, Courts around the country were inconsistent in its
application
Ineffective Compliance Programs and the FCA-The 2013
Novartis Complaint, Case No. 11 Civ 0071 (April 26, 2013)
•
•
•
Novartis was well aware that its speaker programs created opportunities to provide
kickbacks to doctors. In September 2010, Novartis entered into a settlement with the U.S.
Department of Justice to settle False Claims Act lawsuits based in part on violations of the AKS due to
illegal remuneration paid to doctors through such mechanisms as speaker programs, and signed a
corporate integrity agreement with the U.S. Department of Health and Human Services Office of
Inspector General agreeing to implement a rigorous compliance program.
Even after entering into the corporate integrity agreement, Novartis’s compliance program failed
to prevent kickbacks from being paid in conjunction with Novartis’s speaker programs. No
individual at the company was tasked with examining its speaker program data to determine whether
the programs were used for an illegitimate purpose. Furthermore, although instances of speaker
program abuse were reported to Novartis, sanctions were generally mere slaps on the wrist. In some
cases, sales representatives who violated Novartis’s own speaker program policies were nevertheless
promoted. Even after September 2010, Novartis continued to conduct bogus speaker programs that
were simply vehicles for paying kickbacks to doctors in the form of honoraria and expensive meals.
As a consequence of its violations of the Anti-Kickback Statute , Novartis has caused the submission of
numerous false claims for drugs to federal health care programs, including Medicare, Medicaid,
TRICARE and the Department of Veterans Affairs health care program, resulting in millions of dollars
in reimbursements. Novartis’s unlawful conduct caused those false claims to be made to and paid by the
federal health care programs.
The Anti-kickback Statute (“AKS”), 42
USC 1320a-7b
• Authorizes criminal and civil penalties (CMP) against anyone who
knowingly and willfully solicits, receives, offers, or pays remuneration,
in cash or in kind, to induce or in return for referrals for services payable
under federal healthcare programs.
• Single violation could bring $25,000 fine and imprisonment
• Additionally, each violation can carry a civil penalty of $50,000, plus
treble damages
• Under ACA, AKS violation can form basis for FCA liability
• Safe Harbors/Exceptions for certain arrangements
Not all Illegal Arrangements are the Same—The
Exceptions and Safe Harbor Protections
•
•
AKS Safe Harbors & Statutory Exceptions (42 CFR 1001.952/42 USC §
1320a-7b(b)(3))
– 10 Statutory Exceptions, including risk sharing agreements, Discounts/price
reductions, GPO and Bona Fide Employee
– 22 Safe Harbors, including ACS Safe Harbor (42 CFR 1001.952(r))
Stark Exceptions: Three types of exceptions:
– Exceptions applicable only to ownership interests (direct and indirect);
– Exceptions applicable only to compensation arrangements (direct and
indirect); and
– Exceptions applicable to BOTH ownership interests and
compensation arrangements.
The AKS and the ASC Safe Harbors, 42
CFR 1001.952(r)
• Four slightly different ASC Safe Harbors:
–
–
–
–
Surgeon-Owned ASCs
Single-Specialty ASCs
Multi-Specialty ASCs
Hospital/Physician ASCs
• Failure to Meet the Exact Requirements of the Safe
Harbor Not Necessarily Fatal
– If facts present a sufficiently low risk of fraud or abuse
under the anti-kickback statute
• When in Doubt, Ask! The OIG Advisory Opinion
Process
The Physician Self-Referral Law (“Stark”)
• Strict Liability Statute
• Prohibits submission of claims to Medicare for any claim for
Designated Health Service (DHS), if the referral of the service is
generated by a physician who has a prohibited financial relationship
with the entity
• Parties (entity and physician) who violate the Stark law are subject to
CMPs and Exclusion from Federal healthcare programs.
• Repayment obligation
• Potential $15,000 fine for each inappropriate referral
• Civil assessment of up to three times the amount of the amount claimed
• Can invoke FCA liability
The CMP Law, 42 USC § 1320a-7a; 42 CFR §
1003.102
•
•
•
Penalties can range from $10,000 (FCA violations) to $50,000 (AKS violations)
per act plus treble damages
Exclusion from federal programs
– Mandatory—minimum 5 years
– Permissive—minimum 3 years
Prohibited Conduct includes:
– Submission of false or fraudulent claims
– Stark and AKS violations (illegal remuneration)
– Payments to induce reduction or limitation of services (i.e. early discharge)
– offering or giving remuneration to any beneficiary of a federal health care
program likely to influence the receipt of reimbursable items or services
– arranging for reimbursable services with an excluded entity /individual
The Rise of the Responsible Corporate
Officer Doctrine (RCO Doctrine)
•
United States v. Park, 421 U.S. 658, 673-674 (1975)Liability as a responsible corporate officer does not turn upon a corporate officer’s approval of
wrongdoing, but rather on whether the officer had, by reason of his or her position in the
corporation, responsibility and authority either to prevent, or promptly correct, the violation at
issue, and the officer failed to do so.
•
Purdue and a resurgence of the RCO Doctrine—3 executives of pharmaceutical company
excluded for 12 years under permissive authority based on their position in company and
their misdemeanor convictions based solely on their roles in the corporation
•
2010 OIG “Guidance for Implementing Permissive Exclusions Under Section 1128(b)(15)
of the the [SSA]” (http://oig.hhs.gov/fraud/exclusions/files/permissive_excl_under_1128b15_10192010.pdf)
–
–
–
–
–
Factors considered by OIG before imposing exclusion:
the circumstances of the misconduct and seriousness of the offense;
the individual’s role in the sanctioned entity;
the individual’s actions in response to the entity’s misconduct;
and information about the entity, including whether it has previously been convicted of a crime or found liable, or
resolved civil or administrative charges with a federal or state enforcement authority, and the size and structure of
the entity and its subsidiaries.
HIPAA Compliance & the New Breach
Rules
• Notable MEGA Rule Changes:
– New Requirements for Business Associates,
Subcontractors and BAAs—Direct Liability for Breach
– New Standard for Breach Notification
– Changes to Rules regarding Sale or Use of PHI for
commercial purposes (i.e., fundraising, marketing and
sale of PHI)
– Enhanced Individual Rights—access and restrictions
– Decedents Still Protected by HIPAA—50 Year rule
– School Immunization Records--No Authorization Needed
for CE to provide to School Officials
– Genetic Information in-line with GINA—Health Plans
– Notice of Privacy Practices (NPP)
Identifying Business Associates
• Inventory Your Vendors and Independent Contractors, as
the list of BAs has expanded.
– Patient Safety Organizations
– Data Transmission Organizations (Health Information
Organizations and e-Prescribing gateways) that routinely
access PHI, but not “conduits” who merely transport or
transmit information without accessing it (i.e., U.S. Mail)
– Vendors of PHI that provide services on behalf of a CE
– Anyone that maintains PHI on behalf of a CE where there is
a persistent opportunity to access PHI, even if it is not
actually accessed (i.e., warehouse / storage facility, cloud
computing)
– Make sure BAs get assurance from Subcontractors that they
will comply with Privacy & Security Rules to same extent as BA
– Checklist Template Included
So, why should CEs and BAs Care about
HIPAA and Compliance Generally?
• Ineffective CP = NO CP
• Enhanced Penalties—tiered CMPs under HIPAA up
to $1.5M
• Direct Liability of BA
• Stepped up Enforcement of CEs and BAs by OCR in
2013 and beyond
• Enhanced Enforcement—Mandatory Investigation
and penalties for Willful Neglect detected in
initial complaint and compliance reviews
– Secretary able to forego informal resolution and
proceed directly to formal action for
noncompliance
Recent HIPAA Settlement
• CBS Investigation leads to $1,215,780 HIPAA Breach Settlement
and Corrective Action Plan
• Leased copiers were returned to vendor without erasing data on
copier hard drives
• Estimated up to 344,579 individuals affected
• “This settlement illustrates an important reminder about equipment
designed to retain electronic information: Make sure that all personal
information is wiped from hardware before it’s recycled, thrown away or
sent back to a leasing agent . . . HIPAA covered entities are required to
undertake a careful risk analysis to understand the threats and
vulnerabilities to individuals’ data, and have appropriate safeguards in
place to protect this information.” ~ OCR Director Leon Rodriguez
Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html.
OIG Resources for Compliance
• Physician Education:
– http://oig.hhs.gov/compliance/physician-education/index.asp
• Compliance Training
– https://oig.hhs.gov/newsroom/video/2011/heat_modules.asp
• Corporate Integrity Agreements
– http://oig.hhs.gov/compliance/corporate-integrity-agreements/index.asp
• OIG Compliance Guidance
– http://oig.hhs.gov/compliance/compliance-guidance/index.asp
• Board of Directors Guidance
– http://oig.hhs.gov/compliance/alerts/guidance/index.asp
OIG Compliance Resources (cont’d)
• OIG Open letters
– http://oig.hhs.gov/compliance/open-letters/index.asp
• OIG Advisory Opinions
– http://oig.hhs.gov/compliance/advisory-opinions/index.asp
• OIG Annual Work Plan
– http://oig.hhs.gov/reports-and-publications/workplan/index.asp
• OIG Special Fraud Alerts
– http://oig.hhs.gov/compliance/alerts/index.asp
– March 26, 2013 Special Fraud Alert on Physician-Owned Distributorships
(PODs)
• “OIG is concerned about the proliferation of PODs. This Special Fraud Alert reiterates our
longstanding position that the opportunity for a referring physician to earn a profit, including
through an investment in an entity for which he or she generates business, could constitute
illegal remuneration under the anti-kickback statute. OIG views PODs as inherently suspect
under the anti-kickback statute. “
Parting Thoughts….
• Document, Document, Document. According to the
government, if it isn’t documented, it didn’t happen. This is
true of medical services and compliance efforts.
• Continuous Assessment & Modification is key to Effective
Compliance Programs.
• Periodic reviews of contracts to ensure compliance with
AKS/Stark
• A Stagnant Compliance Program is more harmful than
having NONE at all…Can you say Reckless Disregard and
Deliberate Indifference!
Questions & Comments
Debra A. Geroux, CHC
41000 Woodward Avenue
Bloomfield Hills, MI 48393
d 248.258.2603
c 248.767.1205
geroux@butzel.com