The Patient Protection and Affordable Care Act (PPACA) demonstrated the Obama administration's commitment to combat fraud and abuse in federal health care programs. PPACA contained numerous provisions impacting long-term care facilities. The application of these laws, together with amplified enforcement activities by the Office of Inspector General (OIG), places long-term care facilities at an increased risk of administrative, civil and criminal penalties for noncompliance.
The Elder Justice Act: Reporting, Penalties & Whistleblowers
The Elder Justice Act (EJA), enacted as part of PPACA, authorized a broad range of initiatives aimed to curb elder abuse, neglect and exploitation in long-term care facilities. The EJA establishes strict self-reporting requirements on any long-term care facility that received $10,000 or more in federal funds during the preceding fiscal year. Briefly stated, the EJA mandates all employees to report, within specified time limits, any reasonable suspicion of a crime against a resident of the facility. The EJA further requires all facilities to annually notify all employees of their obligation to comply with the EJA's reporting requirement. Facilities are prohibited from retaliating against employees who report a suspicion of a crime, and must conspicuously post for employees a notice of their rights under the EJA.
Employees who do not comply with the reporting requirements under the EJA may be personally subjected to a civil penalty of up to $200,000; the maximum penalty increases to $300,000 if failure to report the crime exacerbates the harm to the victim. Long-term care facilities that retaliate against whistleblowers under the EJA may also be subjected to civil monetary penalties of up to $200,000, and could be excluded from federal programs for up to two years. Increased protections for whistle-blowers place long-term care facilities under even greater scrutiny, as more employees are likely to come forward without fear of retaliation.
On June 17, 2011, the Center for Medicare and Medicaid Services (CMS) issued a Survey & Certification (S&C) memorandum to state survey agency directors regarding the EJA. In this memorandum, CMS acknowledged that it has not released any regulations that apply specifically to the EJA, but further explained that "the current obligations of [long-term care] facilities [are] to comply with the law as it is plainly written, without any delay that might be occasioned by waiting for any administrative rule making process that might further clarify application of the law."
Greater OIG Enforcement
Moreover, PPACA provides the government with new resources and tools to police against health care fraud. Armed with improved funding and greater authority, the OIG has ramped up its enforcement activities.
Each year, the OIG issues an annual report that describes how it will utilize its funding and focus its audit and enforcement efforts. The Work Plan (Work Plan) for the fiscal year 2011 set the stage for greater scrutiny of long-term care facilities when it outlined several new and continued enforcement activities the OIG has employed this year.
The OIG's efforts to combat fraud have come in large part in the form of Medicare and Medicaid auditing. CMS contracts with an alphabet soup of auditors (i.e., ZPICs, RACs, MACs and CERT) to investigate fraud and reduce improper payments. Although audit contractors are not a new phenomenon, there has been a recent enhancement in both the number of audits and the sophistication of the auditors, thus increasing the level of government scrutiny that all providers, including long-term care facilities, must face.
The OIG has engaged several other weapons as well, many of which stem from authority granted to them in PPACA. Specifically, civil and criminal penalties are being enforced and collected for false or fraudulent conduct relating to federally funded health care programs. The Department of Justice (DOJ) and the Department of Health and Human Services (HHS) have created a joint initiative, "HEAT" – the Health Care Fraud Prevention and Enforcement Action Team – under which hundreds of providers have been investigated and prosecuted, and millions of dollars have been recovered. Providers are further subjected to liability for fraudulent activity for failure to comply with PPACA's rigorous new reporting requirement for overpayment, in which providers are required to disclose and return all Medicare and Medicaid overpayments within 60 days of identification. Finally, the OIG has been making more frequent use of its exclusion authority. Under its exclusion authority, the OIG may exclude individuals and entities accused of fraud from participation in federal health care programs – in effect, shutting down a provider's cash flow until an investigation is resolved.
Mandatory Compliance Programs Under PPACA
Without a doubt, recent legislation and greater OIG scrutiny bring compliance to the forefront of importance. Adopting and implementing an effective compliance program is necessary for any long-term care facility to remain proactive in its efforts to comply with the law so as to reduce its risk of administrative, civil and criminal penalties.
The OIG has been encouraging compliance programs for more than a decade, releasing voluntary guidance for various categories of health care providers, including long-term care facilities. Many long-term care facilities have followed OIG's recommendations and adopted a program aimed at fostering a culture of compliance. However, PPACA has shifted compliance programs from recommended to mandatory. By 2013, all long-term care facilities will be required to create and maintain a formal compliance program that effectively prevents and detects criminal, civil and administrative violations and promotes quality of care. Sometime in the future, all other providers will be required to adopt a compliance program as a condition of participation in the Medicare and Medicaid programs. Although final regulations from CMS on mandatory compliance programs will not be issued until the end of 2011, long-term care facilities should, at the very least, analyze their current compliance program and determine what, if anything, must be done to comply with the requirements of PPACA. For example, although many of the requirements of a compliance program may be met by existing programs, one novel requirement under PPACA – that the organization use due care to not delegate substantial authority to individuals it knew, or should have known, to have a propensity to violate the law – may prove difficult for facilities that have even the most sophisticated compliance program.
Elements of an Effective Compliance Program
If established and implemented properly, a compliance program can improve the quality of health care and reduce overall costs; it plays a valuable role in not only avoiding violations of the law, but in reducing potential liability in the event a violation does occur. In fact, a compliance program may be considered evidence of "good faith" during audits, investigations or federal sentencing.
There is no "one-size-fits-all" approach to compliance programs. A program should be adopted to the size, resources and risks of the particular organization. However, PPACA will require the following elements, each of which is essential to an effective compliance plan:
- Written policies and procedures
- Compliance personnel
- Use of due care in delegating discretional authority
- Effective training and education
- Internal monitoring and auditing
- Consistent enforcement of disciplinary standards
- Appropriate response to detected offenses
- Periodic reassessment
Reinhart's Health Care team strongly encourages all long-term care facilities to make compliance a priority. Long-term care providers without a compliance program should take significant steps to establish and implement an effective program as soon as possible. Those providers that currently maintain a compliance program should take this opportunity to review their current program and revise it so as to align it with current organizational needs. In addition, an internal legal compliance audit should be undertaken to identify any areas of noncompliance that need to be addressed so as to bring the provider into compliance with current statutory and regulatory requirements.