A variety of constituents are scrutinizing the health care industry from all angles. There is a national debate over health care delivery and financing, a growing belief that fraud and abuse are on the rise, increasing burdens on state budgets and health care providers, and spiraling Medicare and Medicaid spending. Recently, the White House proposed a multiyear $1.7 billion increase to the Health Care Fraud and Abuse Control Program and $890 million for IRS enforcement activities. In addition, there are daily developments in the political arena, which in turn are molding the way health care providers deliver care and comply with applicable federal and state laws and regulations.
This Commentary is intended to give you a brief overview of the hottest legal and compliance topics. Health care lawyers should be aware of these issues because they have the potential to be "the next big story." You do not want your client to be caught in the headlines. We hope that this Commentary provides you with an overview for navigating trends throughout the coming year.
Mandatory Compliance Programs
In his testimony before the Senate Special Committee on Aging on May 6, 2009, Inspector General Daniel R. Levinson set forth the Department of Health and Human Services ("HHS") Office of Inspector General's ("OIG") five-principle strategy to combat health care fraud, waste, and abuse. Specifically, the OIG recommended that health care providers and suppliers adopt compliance programs as a condition of participation in the Medicare and Medicaid programs. Further, Inspector General Levinson remarked that the Centers for Medicare and Medicaid Services ("CMS") should consult with the OIG on standards for mandatory compliance programs. Based on these positions, we anticipate seeing a movement towards mandatory compliance programs, either through legislation or on the OIG's own initiative.
Audits and Other Financial Investigations
Health care organizations are constantly under pressure to use limited resources in the most efficient manner. Regulators and enforcers have stepped up their monitoring of health care organizations through new and expanded audits and financial investigations, some of which are aimed at "improper payments" instead of the traditional fraud and abuse. Health care organizations should expect the wide variety of audits and other financial investigations that they have been encountering to accelerate. Some of these programs are the Recovery Audit Contractor ("RAC") program, the Payment Error Rate Measurement program, the Medi-Medi match program, and the government's use of Rapid Response Teams and Zone Program Integrity Contractors.
Because the RAC program is one of the most prominent and aggressive payment recovery efforts that health care organizations will face, health care organizations should continuously prepare for RAC audits, just as they routinely prepare for Joint Commission accreditation visits. The permanent RAC program was recently initiated, and it is scheduled to be operating in all states by 2010. RACs will review improper Medicare payments, with an emphasis on detecting and correcting past payment errors and implementing corrective action plans. The RAC program is probably already on most health care organizations' list of concerns, but now that the CMS has lifted the "stop work order," the permanent RAC program is gaining momentum. It is important for organizations to review their internal policies to ensure they properly address RAC audits. Strong, coordinated, and early responses to RAC findings will mitigate financial exposure and dictate providers' success on audit. Organizations should also consider performing sample reviews (under attorney-client privilege and work product protection) to identify risk areas and to make any necessary process improvements.
Health care providers should continue to track developments related to audits and financial investigations. As government agencies become more skilled at data prospecting, they will increasingly rely on providers' own data. In turn, providers should be prepared to tackle extrapolation issues and have answers and corrective actions in place if they have data outliers.
State Medicaid Enforcement Initiatives
New York has been leading the way nationally on Medicaid enforcement and financial recoveries. On April 24, 2009, New York's Office of the Medicaid Inspector General ("OMIG") issued its second work plan ("Work Plan") specific to the state's Medicaid program. The Work Plan is ambitious and wide-ranging and will require technical expertise to execute. It is required reading for all Medicaid providers because it identifies issues that Medicaid agencies across the country will be examining. There are similarities between the New York Work Plan and the HHS-OIG annual work plan, including the general format and certain focus areas, but providers and suppliers should know that this is not "business as usual." The New York Work Plan identifies a number of new target areas that OMIG intends to scrutinize. According to New York Medicaid Inspector General James G. Sheehan, New York was the most successful state in Medicaid program integrity last year (as measured by fraud and abuse recoveries reported to the CMS), and it identified more than $550 million in recoveries. Given New York's quantitative successes, states might wonder why they should "reinvent the wheel" when New York has already provided an extensive template for Medicaid enforcement.
The ambitious and unprecedented New York Work Plan is yet another sign that Medicaid compliance demands the same level of attention that providers and suppliers have been dedicating to Medicare. As other states follow with similar plans, the New York Work Plan provides a preview of what states may deem important focus areas in Medicaid enforcement.
Quality and Medical Care Scrutiny
There is growing attention regarding the quality of care delivered by health care providers. The media have honed in on health care quality issues, and unions have used quality as their frontline message. Health care quality and reimbursement are increasingly tied together. In the Medicare Improvements for Patients and Providers Act of 2008, the CMS set forth reimbursement incentives for quality standards and reporting, and federal health care reform proposals include a focus on quality incentives as well as financial penalties for falling short on quality. Health care providers also encounter quality incentives with programs such as the Physician Quality Reporting Initiative and the Hospital Outpatient Quality Data Reporting Program. In addition, the use of quality failures as the basis for False Claims Act ("FCA") allegations continues to develop. There is also a heavy focus on quality in Corporate Integrity Agreements ("CIAs"). For example, some CIAs require the use of an outside quality-of-care monitor, systemic quality controls, and quality improvement processes.
On March 24, 2009, the HHS-OIG wrote an "Open Letter" to health care providers containing what the agency has described as "refinements" to the OIG's Self-Disclosure Protocol ("SDP"). In the latest of four Open Letters about the SDP, the OIG announced two policy changes that serve to (1) clarify when the SDP should be used to address potential physician self-referral (Stark Law) violations (i.e., only when combined with colorable anti-kickback statute ("AKS") noncompliance); and (2) narrow the applicability of the OIG's April 24, 2006, Open Letter. In the 2006 guidance, the OIG had encouraged providers to utilize the SDP to voluntarily disclose potential violations under both the Stark Law and the AKS. In the most recent Open Letter, the OIG also announced that it will impose a minimum civil monetary penalty of $50,000 for noncompliance with the Stark Law and the AKS reported under the SDP.
The 2009 Open Letter is the OIG's latest step aimed at encouraging providers' voluntary compliance with federal program standards. It comes at a time when other developments, along with political and economic conditions, have made the stakes higher than ever for providers' compliance programs. On the federal level, both relators and the government are becoming more aggressive and expansive in their interpretation of the scope of the Stark Law and the AKS and how they can be predicates to FCA violations. State agencies are also increasing their Medicaid fraud enforcement activities, including new voluntary disclosure protocols in Texas and New York.
Even though the OIG has narrowed the scope of potential Stark Law violations that providers can disclose under the SDP, enforcement activity continues unabated. Providers discovering potential Stark Law violations now have more limited options for addressing them. In addition to enacting effective measures to remedy past noncompliance and to prevent similar occurrences in the future, the options for additional corrective action are, in effect, the same alternatives that providers had prior to the 2006 Open Letter.
Relationships with Medical Device and Pharmaceutical Companies
Health care organizations and physicians interact with multiple medical device and pharmaceutical companies. Government regulators and enforcers have been closely scrutinizing and evaluating these relationships. Recently, both the Advanced Medical Technology Association ("AdvaMed") and the Pharmaceutical Research and Manufacturers of America ("PhRMA") revised their respective codes of ethics. PhRMA updated its Code on Interactions with Healthcare Professionals ("PhRMA Code"), which took effect in January 2009. AdvaMed updated its Code of Ethics on Interactions with Health Care Professionals ("AdvaMed Code") in December 2008, to be effective July 1, 2009. The revised AdvaMed Code introduced and reinforced some broad restrictions and prohibitions on interactions between health care professionals and medical device companies. For example, companies that provide, market, and manufacture medical products are advised not to pay for entertainment activities or recreation (e.g., sporting events and equipment, theater, skiing) for health care professionals who are not company employees. Organizations should educate personnel who have contact with drug and device companies about the revisions to the AdvaMed Code and the PhRMA Code. Further, they should also consider updating their policies and procedures to reflect the changes that have been made to the AdvaMed Code and the PhRMA Code, which relators may allege constitute "best practices" or minimum standards of conduct.
There is also increased demand for transparency regarding relationships between health care providers and medical device and pharmaceutical companies. For example, Senators Grassley (R-Iowa) and Kohl (D-Wisconsin) recently introduced the Physician Payments Sunshine Act of 2009. Congress first addressed the disclosure of financial relationships between drug and device manufacturers and physicians when it considered the Physician Payments Sunshine Act of 2007. Congress will likely enact some version of this bill in 2009. If it is enacted, manufacturers of any drug, device, or biological or medical supply that is eligible for Medicare, Medicaid, or State Children's Health Insurance Program coverage would be required to submit their first annual report of payments or transfers of value above a certain threshold to the HHS on March 31, 2011.
Further, in February 2009, Pfizer issued a press release stating that by early 2010, it plans to publish an annual report of certain payments it makes to health care providers, institutions, and principal investigators. Similarly, on March 11, 2009, the Massachusetts Public Health Council adopted a final set of implementing rules setting forth the requirements with which pharmaceutical and medical device manufacturers must comply under a new law on manufacturer conduct. Though the Massachusetts mandates apply only to interactions between industry and health care practitioners licensed in Massachusetts, this new law has attracted national attention because of its unprecedented scope. The combination of these developments, along with some high-dollar and widely publicized settlements, signifies a growing need to effectively monitor relationships between health care providers and medical device and pharmaceutical companies. While Massachusetts has enacted the most vigorous state provisions to date, it certainly will not have the last word on the subject.
Revised Form 990 Disclosure Requirements
For more than 25 years, the Internal Revenue Service ("IRS") Form 990 has been primarily a "numbers" document, with various narrative disclosures tacked on over the years as gap fillers. Form 990 is the primary tool that the IRS uses to oversee the activities of tax-exempt organizations and to enforce federal tax laws governing tax-exempt status. The IRS addressed three main principles when it redesigned Form 990 for 2008—it aimed to promote transparency for the public and other stakeholders, promote tax compliance, and keep the burden on reporting organizations as minimal as possible. The recently redesigned Form 990 now more effectively targets potentially abusive transactions among officers, key employees, board members, and nonprofit health care organizations. It also places a greater burden on such organizations to justify the favorable tax treatment that they receive. As a publicly available document, the Form 990 makes any missteps by a nonprofit organization readily apparent to other federal regulatory agencies, state attorneys general, the media, and others who may not have the organization's best interests at heart.
Tax Law Whistleblowers
Traditionally, policing responsibilities regarding tax-exempt organizations fell to the IRS and state attorneys general. This enforcement environment is changing dramatically because of two factors—the significant new disclosure requirements in Form 990 and the newly created IRS Whistleblower Office. Congress amended the tax code in 2006 to increase the potential reward for informants who bring violations of tax laws to the attention of the IRS. These rewards may be 15 to 30 percent of the proceeds that the IRS collects (including penalties, interest, additions to tax, and additional amounts) as the result of an action based on information provided by the informant. Presently, these enhanced whistleblower provisions apply only to disputes involving more than $2 million in tax, penalties, additions to tax, and additional amounts. Although tax law violations are prosecuted exclusively by the government, the IRS has discretion to enter into tax administration contracts with whistleblowers and their attorneys to share confidential return information (e.g., tax returns of subsidiaries, directors, and officers and prior closing agreements settling tax disputes with the IRS) to allow the whistleblower to assist in the investigation. These developments have established a cottage industry of attorneys and others ready to report tax-exempt organizations and their board members for violation of various federal tax laws. There are many people looking at Form 990 filings, including plaintiffs' lawyers and potential whistleblowers, state attorneys general, Medicaid Fraud Control Units, local assessors, Congress, unions, new media, and bloggers.
American Recovery and Reinvestment Act of 2009
President Obama signed the American Recovery and Reinvestment Act of 2009 ("ARRA") into law on February 17, 2009. If your organization receives a contract, grant, or other payment appropriated or made available by the ARRA, you should review the broad whistleblower provisions set forth in the ARRA, including the requirements to post notice regarding whistleblower rights and remedies. As part of the accountability focus in the ARRA, employees are encouraged to disclose instances of a "reasonable belief" of gross mismanagement of covered funds made available under the ARRA. Further, organizations may not discharge, demote, or discriminate against whistleblowers as a reprisal for disclosing such information. The ARRA requires Inspectors General to investigate all complaints of reprisal (with few exceptions), and aggrieved employees may bring civil actions for compensatory damages if they believe they have been treated inappropriately after raising concerns. Many health care organizations have compliance plans in place to deal with employees who raise issues and to protect the organization from potential whistleblower claims, but they are likely not sufficient to cover the ARRA provisions.
Among many other things, the ARRA dedicates substantial resources to health information technology and investment in infrastructure to allow for and promote the electronic exchange and use of health information. Title XIII of Division A and Title IV of Division B of the ARRA are commonly referred to as the "Health Information Technology for Economic and Clinical Health Act." The ARRA provides that HIPAA security provisions as well as certain additional privacy and security provisions set forth in the ARRA will apply to business associates in the same manner that they apply to covered entities, and that such requirements must be incorporated into existing and future business associate agreements between business associates and covered entities. For example, the ARRA requires covered entities to notify each individual whose unsecured protected health information has been accessed, acquired, or disclosed as a result of a breach. Further, under the ARRA, covered entities that use or maintain electronic health records will need to account for disclosures made for treatment, payment, and health care operations purposes. Individuals will have the right to receive the accounting for this type of disclosure for three years (as opposed to six years for other disclosures). This change picks up all disclosures made in the clinical setting as well as all disclosures to business associates (which were formerly excepted as health care operations disclosures). Similarly, providers now face an August 1, 2009, deadline to comply with the Federal Trade Commission Red Flag Rules requiring certain procedures to detect, mitigate, and prevent possible identity theft related to covered accounts (including deferred-payment arrangements).