On April 18, 2016, the Department of Health and Human Services Office of the Inspector General (“OIG”) issued revised criteria for implementing permissive exclusion authority. These revisions are a non-binding policy statement amending those criteria issued by the OIG in 1997 in a similar non-binding policy statement.
Both the 1997 and 2016 statements address how the OIG will approach excluding an individual or entity (“person”) from participation in Federal health care programs, such as Medicare and Medicaid, from engaging in conduct prohibited by Sections 1128A and 1128B of the Social Security Act. In the 2016 statement, the OIG describes a continuum of risk and the OIG’s responses to health care fraud based upon where the person falls on the continuum of risk. The OIG also revised and refined the criteria that it uses to evaluate the risk presented by a person.
The OIG has conceptualized health care fraud as a continuum of risk, with some people presenting a low risk of health care fraud and other presenting a high risk of health care fraud.
The severity of the OIG’s response to activities that constitute health care fraud decreases the lower on the continuum of risk the activities fall as follows (from most severe OIG response to least severe OIG response): (1) exclusion; (2) heightened scrutiny; (3) integrity obligations; (4) no further action; and (5) release.
The OIG will generally only release a person from exclusion authority when the person self-discloses the conduct cooperatively and in good faith or when the OIG determines that robust integrity obligations that have been agreed to by the person are sufficient to protect Federal health care programs.
In determining where a person falls on the risk continuum, the OIG considers four (4) general categories: (1) nature and circumstances of the conduct; (2) conduct during investigation; (3) significant ameliorative effects; and (4) history of compliance. Within each category are factors that have been determined to either: (a) indicate a higher risk; (b) indicate a lower risk; or (c) be neutral to the risk assessment. Selected examples of these factors are as follows:
Nature and Circumstances of Conduct
- Patient Harm. Conduct that causes or had the potential to cause any adverse physical, mental, or financial harm or other impact to program beneficiaries, recipients, or other patients indicates higher risk. A lack of patient harm is risk neutral.
- Loss to Federal Health Care Programs. The greater the amount of actual or intended loss to Federal health care programs, the higher the risk.
- Frequency of Conduct. Conduct that is continual or repeated indicates higher risk.
- Prior Conduct. Previous imposition, breach of, or refusal to enter into a corporate integrity agreement indicates higher risk.
Conduct During Investigation
- Termination of Fraudulent Activities. The inability of a person to engage in the conduct again because a contract or arrangement was terminated, or due to a change in Federal health care program rules, does not affect the risk assessment.
- Failure to Respond to Subpoena. Failure to respond to a subpoena within a reasonable period of time indicates higher risk. However, prompt subpoena response does not affect the risk assessment.
- Self-Disclosure. If the person initiated an internal investigation before becoming aware of the government’s investigation to determine who was responsible for the conduct, and shared the results of the internal investigation with the government, this indicates lower risk. If the person self-disclosed the conduct cooperatively and in good faith as a result of the internal investigation, prior to becoming aware of the Government’s investigation, this indicates lower risk. If the person clearly demonstrates acceptance of responsibility for the conduct, this indicates lower risk.
- Criminal Penalties. A criminal resolution indicates higher risk.
- Restitution. The inability to pay an appropriate monetary penalty to resolve a fraud case indicates higher risk.
Significant Ameliorative Effects
- Disciplinary Actions. An entity that has taken appropriate disciplinary action against individuals responsible for the conduct indicates lower risk.
- New Owner. If, since the end of the conduct at issue, the entity has been sold in an arm’s-length transaction to a non-affiliated, independent third party with a history of compliant participation in the Federal health care programs, this indicates lower risk.
History of Compliance
- Prior Self-Disclosures. If the person has a history, prior to becoming aware of the investigation, of significant self-disclosures made appropriately and in good faith to OIG, CMS (for Stark law disclosures), or CMS contractors (for non-fraud overpayments), this indicates lower risk.
- Compliance Program. The absence of a compliance program that incorporates the U.S. Sentencing Commission Guidelines Manual’s seven elements of an effective compliance program indicates higher risk. However, the existence of such a compliance program does not affect the risk assessment.
- Integrity Obligations on Successor Entities
In addition to the factors above, the new policy statement addresses factors that the OIG may consider when determining whether to apply integrity obligations to a successor entity following a corporate merger or acquisition.
Protective factors for a successor entity resolving a fraud case for an acquired person include when the successor: (1) purchased the acquired entity after the fraudulent conduct occurred; (2) has an existing compliance program; (3) does not have a prior history of wrongdoing or fraud settlements with the United States; and (4) took appropriate steps to address the predecessor’s misconduct and reduce the risk of future misconduct.
Finally, the new policy statement states that, regardless of risk, the OIG may favor remedies other than exclusion when the offending person is a sole source of essential specialized items or services in a community or provides items or services for which there are no alternative or comparable sources.
The new policy statement can help guide providers to operate so as to minimize the possibility that the OIG will impose exclusion authority upon the provider as well as its employees. Key compliance considerations include organized, coordinated, and timely procedures to address self-reporting and government investigations. The entire text of the April 18, 2016 OIG revised criteria for implementing permissive exclusion authority is available here.