Welcome to this wee's edition of the Health Law Update,.In this Issue:
- Federal Healthcare Contractors Must Comply With Basic Information Security Safeguards
- Does the Medical-School-to-Prison Pipeline Widen in Middle Age?
- Deeper Dive: Integrating Physician Practices into a Health System’s HIPAA Privacy and Security Program
- Events Calendar
Federal Healthcare Contractors Must Comply With Basic Information Security Safeguards
In light of the uncertainty generated in the healthcare industry by recent decisions of the OFCCP regarding which entities qualify as federal contractors and subcontractors, this article explains which types of healthcare providers may be affected by the Final Rule.
On May 16, 2016, the Department of Defense (DoD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) issued a long-anticipated Final Rule amending the Federal Acquisition Regulation (FAR) to add a new subpart and contract clause aimed at the safeguarding of contractor information systems that process, store, or transmit federal contract information.
The Final Rule, published at 81 Fed. Reg. 30439, requires federal contractors to implement minimum safeguards for certain information systems “reflective of actions a prudent businessperson would employ” to protect federal contract information on these systems. In light of the uncertainty generated in the healthcare industry by recent decisions of the Office of Federal Contract Compliance Programs (OFCCP) regarding which entities qualify as federal contractors and subcontractors, this article explains which types of healthcare providers may be affected by the Final Rule.
Providers Subject to the Final Rule
The Final Rule prescribes the new FAR contract clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” for solicitations and contracts under which a contractor or subcontractor “may have Federal contract information residing in or transiting through” their information systems. A federal prime contractor includes any person or entity directly contracting with the federal government to provide supplies or services, while a subcontractor can generally include any supplier, vendor, or firm that furnishes supplies or services for the performance of a federal contract or subcontract.
Examples of supplies that may be provided by a healthcare provider under a federal contract include pharmaceuticals, medical supplies, and medical devices, while services might include providing medical care to federal personnel under a contract with a federal agency, or contracting with the agency to reimburse medical care. Importantly, because the OFCCP relies on a different set of regulations to guide its decisions, healthcare providers subject to that agency’s rules are not necessarily subject to the Final Rule. Accordingly, providers should carefully review the nature of any federal programs in which they participate to ensure they understand which requirements do and do not apply to them as a result.
For those providers subject to the Final Rule, the new contract clause “applies to all acquisitions” where a contractor’s information systems “may contain Federal contract information.” This includes acquisitions below the simplified acquisition threshold, and only commercially available off-the-shelf items are exempt from the Final Rule. The scope and applicability of the Final Rule are intentionally broad “because [the] rule requires only the most basic level of safeguarding.”
Final Rule Requirements
The Final Rule’s requirements apply to “covered contractor information system[s],” which broadly include any information system “owned or operated by a contractor that processes, stores, or transmits Federal contract information.” The definition of “Federal contract information” is very broad and generally covers nonpublic information “provided by or generated for the Government under a contract to develop or deliver a product or service to the Government[.]”
The FAR contract clause identifies 15 performance-based security safeguards that contractors must implement to protect their covered information systems. These controls include, among others:
- Limiting system access to authorized users to the types of transactions and functions that authorized users are permitted to execute;
- Sanitizing or destroying information system media containing federal contract information before disposal or release for reuse;
- Limiting physical access to organizational information systems, equipment and their operating environment to authorized individuals;
- Escorting visitors and monitoring visitor activity, including maintenance of an audit log of physical access; and
- Monitoring, controlling and protecting organizational communications at the external and key internal boundaries of the information systems.
In addition, contractors must flow down the FAR contract clause to subcontractors for subcontracts “in which the subcontractor may have Federal contract information residing in or transiting through its information system.”
Because the Final Rule imposes only minimum standards, it does not affect any other safeguarding requirements that may be specified in contracts involving sensitive information such as Controlled Unclassified Information. Of particular relevance to healthcare providers, the Final Rule has no effect on their obligations to safeguard patient information under the Health Insurance Portability and Accountability Act.
The Final Rule becomes effective on June 15, 2016. Because the Final Rule prescribes only basic safeguards based on what the DoD, GSA and NASA perceive to be common practice in the private sector, many contractors are likely already in compliance. Nevertheless, healthcare providers that have direct prime contracts with the federal government should carefully review their information security practices, along with the practices of applicable subcontractors, to confirm that they are in accord with the requirements of the Final Rule; additionally, while the Final Rule is limited to information systems that may store or transmit federal contract information, contractors should consider the cost-effectiveness of implementing these safeguards on a broader basis in order to avoid inadvertent noncompliance.
Does the Medical-School-to-Prison Pipeline Widen in Middle Age?
The trend of holding physicians personally responsible for healthcare crimes has continued unabated over the past year. As noted in a previous article, physicians are particularly attractive targets for federal prosecutors due to the “special skill” and “abuse of trust” sentencing enhancements found in the U.S. Sentencing Commission Guidelines. While measuring physician participation in illegal activity is difficult, a review of U.S. Department of Justice (DOJ) press releases and select state prosecutions over a 12-month period shows that healthcare fraud appears to be the most popular charge. Common healthcare fraud violations committed by physicians involved lab schemes, medically-unnecessary services, false statements, fraudulent billing, patient-related offenses, kickbacks and bribes, and prescription drug schemes.
The following summarizes common violations of the law by physicians charged or convicted during the past year.
Common Violations of the Law by Physicians
|Age||Controlled Substance Violations||Money Laundering||Kickbacks/ Bribes||False Statements||Healthcare Fraud||Wire/ Mail Fraud||Tax Crime|
Based on our review of the cases in which age information was readily available, the majority of defendants were between 50 and 70 years of age, raising the question as to whether physicians in their mid-to-late years of practice commit more fraud, and if so, why. Such findings, while arguably anecdotal in nature, point to areas where healthcare and physician organizations are at risk and yield important information for developing and fine-tuning a compliance-auditing regime. In addition, with the exception of sexual assault and similar crimes, the physicians involved tended to be associated with smaller, non-institutional practices. This could be an indicator of the need for improved and continuous compliance training for physicians in smaller practices as they approach the midpoint of their careers and beyond.
The DOJ routinely emphasizes taking “a hard look” at internal business practices in an effort to identify risk and responsible individuals. To that end, providers should remain abreast of evolving risks and circumstances. The following survey of some of the reported physician criminal cases during the past year, largely from the DOJ press reports, provides useful examples of the types of activities that have landed physicians in prison.
Involving 28 physicians, the Biodiagnostic Laboratory Services referral kickback case is believed to comprise the largest number of medical professionals ever prosecuted in a kickback case. Biodiagnostic Laboratory paid kickbacks to the physicians directly in some cases and disguised as bogus lease and service agreements in others. The physicians have pleaded guilty to varying charges that have included money laundering, bribery, kickbacks, wire fraud, tax crimes and other violations. Prison sentences imposed on the physicians ranged from one to over three years.
Clinic medical director Henry Lora, M.D., 51, admitted that in exchange for bribes and kickbacks, he and his co-conspirators wrote prescriptions for home healthcare and other services for Medicare beneficiaries that were not medically necessary or not provided, and that they falsified patient records to make it appear as if the beneficiaries qualified for these services. Lora was sentenced to 108 months in prison and ordered to pay $30.3 million in restitution and to forfeit the same amount on his conviction on one count of conspiracy to commit healthcare fraud and one count of conspiracy to defraud the United States.
Rita Luthra, M.D., 64, a gynecologist, was indicted for allegedly accepting free meals and speaker fees from a pharmaceutical company in return for prescribing the company’s osteoporosis drugs, for allowing pharmaceutical sales representatives to access patient records and for lying to federal investigators. A pharmaceutical manufacturer allegedly paid Luthra $23,500 to prescribe its drugs. The payments consisted of: (1) a pharmaceutical representative bringing food to Luthra’s medical office 31 times and paying Luthra $750 to talk with her for 25-30 minutes while she ate, (2) catering a barbecue that Luthra hosted at her home for her friends, and (3) $250 for speaker training for Luthra, despite the fact that Luthra never spoke to any other physicians. The government alleged that Luthra’s prescriptions of the company’s drugs increased during the time she was paid by the company, and precipitously declined after the company stopped paying her. Luthra also allowed a PhARMA sales representative to access protected health information in her patients’ medical files and provided false information to federal agents when interviewed about her relationship with the manufacturer, and allegedly directed one of her employees to also lie to investigators.
Dr. Elena Polukhin, 58, was indicted for accepting kickbacks in exchange for referring patients to a pharmacy. At Polukhin’s request, the kickbacks from the pharmacy were made payable to the Roife-Nissenbaum Trust (RN Trust), a 501(c)(3) charitable trust founded by Polukhin, who also served as its chair of the board and president. The RN Trust purportedly supported several programs and services, including scholarships to students, a directory of medical providers, fitness programs, humanitarian missions and international collaborations, a mental health and chemical dependency program, medical research, and a “starving artist’s project.”
Dr. Jasminka Kostic, 59, was indicted for knowingly making false statements in a document submitted to the U.S. Citizenship and Immigration Services by falsifying medical certifications to help applicants bypass tests for U.S. citizenship. The certification provided a false length of time in which a medical examination was allegedly rendered to the applicant, and a false description of the clinical methods used to diagnose the purported impairments.
Prescription Drug Schemes
In a case deemed by the DOJ as “the first in the nation involving an organized scheme to defraud government health care programs through fraudulent claims for expensive anti-psychotic medications,” Dr. Kenneth Johnson, 49, was sentenced to nine years in prison for pre-signing prescription pads used by employees of Manor Medical Imaging to generate thousands of prescriptions for vulnerable identity theft victims (e.g., elderly Vietnamese beneficiaries of Medicare and Medi-Cal, military veterans recruited from drug rehab programs, and denizens of Skid Row). After the prescriptions were filled and paid for by the Medicare and Medi-Cal programs, they were sold on the black market and redistributed to pharmacies, where the drugs would be rebilled as new claims made to Medicare and Medi-Cal.
Medically Unnecessary Services
Neurosurgeon Aria O. Sabit, 39, pleaded guilty to four counts of healthcare fraud, one count of conspiracy to commit healthcare fraud and one count of unlawful distribution of a controlled substance. Sabit admitted to investing in a physician-owned distributorship (POD) and participating in an illegal kickback scheme that required the hospitals and surgical centers where he and his fellow neurosurgeons performed surgeries to purchase spinal implant devices from the POD. The physician admitted that his involvement in the POD caused him to perform medically-unnecessary spine surgeries on some of the patients and to “over instrument” his patients (using more spinal implant devices than were medically necessary to treat his patients) in order to generate sales revenue for the POD.
Farid Fata, M.D., 50, was sentenced to serve 45 years in prison and ordered to forfeit $17.6 million for his role in a healthcare fraud scheme that included administering medically unnecessary chemotherapy infusions or injections to 553 patients and providing unnecessary positron emission tomography scans. Fata also admitted to soliciting kickbacks from a hospice and home health provider in exchange for his referral of patients.
Dermatologist Robert Kolbusz, 58, was sentenced to seven years in prison for mail fraud and wire fraud in connection with his submission of “thousands of false claims to Medicare and private insurers,” for treatments to destroy pre-cancerous lesions. In reality, his patients did not have pre-cancerous lesions. Many of the treatments were performed by aestheticians in his office including cosmetic laser treatments on benign skin conditions that normally would not have qualified for insurance coverage and cosmetic procedures, such as Erbium “lunchtime laser peels.” Dr. Kolbusz, in one case, billed Blue Shield to remove 491 pre-cancerous lesions from a patient when in fact he performed laser procedures to lighten her freckles.
Pain specialists Drs. John Patrick Couch, 50, and Xiulu Ruan, 53, were arrested for knowingly and willfully ordering extremely expensive secondary urine drug tests, which were billed to patients’ insurance providers under the false pretense that they were necessary tests, and for distributing and dispensing Schedule II controlled substances outside the usual course of professional practice and not for a legitimate medical purpose. The indictment alleged the tests were ordered primarily because of the high reimbursement paid by insurance providers for the urine tests. The indictment further alleged that the physicians upcoded services that had been performed by physician extenders, such as nurses, using their national provider identifier numbers.
Pain clinic owner and operator Dr. Paramjit Singh Ajrawat, 60, was sentenced to 111 months in prison for filing claims for procedures that were not performed and for over-coding procedures, according to trial evidence. Ajrawat and his wife, Sukhveen Ajrawat, 57, a licensed psychiatrist, submitted claims for nerve block injections with the use of an imaging guidance machine, equipment they neither owned nor used. The Ajrawats also falsely documented patient files to conceal the scheme from auditors and law enforcement.
Dr. Tariq Mahmood, 63, carried out a scheme to defraud Medicare and Medicaid at hospitals he owned and operated along with others by adding, changing, and incorrectly sequencing diagnostic billing codes in a way that did not reflect the patients’ actual diagnoses and condition and often did so without reviewing the medical records. He was sentenced to 135 months in federal prison and ordered to pay restitution in the amount of $599,128.02.
Dr. Dennis Barson Jr., 42, received a 10-year prison sentence for fraudulently billing for rectal sensation tests and electromyogram (EMG) studies of the anal or urethral sphincter that were never performed, and for allowing unlicensed/unsupervised personnel to treat patients and then billing it as if they had been seen by a physician.
Dr. Barry Kaplowitz, 54, was convicted of making false statements related to healthcare matters and sentenced to 60 months in prison and ordered to pay more than $2.9 million in restitution. According to evidence presented at trial, Kaplowitz, who served as the medical director at a psychiatric hospital, signed false and fraudulent medical records in order to make it appear as though the hospital’s patients qualified for and had received intensive outpatient services, even though they had not. The evidence demonstrated that Kaplowitz signed patient files for over 400 patients certifying that he had treated the patients notwithstanding that he neither saw nor provided any services to these patients.
As a participant in managed care plans, Dr. Isaac Kojo Anakwah Thompson, 57, received approximately 80 percent of the capitation fee for each Medicare Advantage (MA) plan beneficiary who selected the internist as their primary care physician. To increase the capitation rate, Thompson falsely diagnosed 387 MA beneficiaries with ankylosing spondylitis. He then reported these diagnoses to the MA plan, which in turn reported them to Medicare. Consequently, Medicare paid $2.1 million in excess capitation, approximately 80 percent of which went to Thompson. All or almost all of the ankylosing spondylitis diagnoses reported by Thompson were false. Thompson pled guilty to one count of healthcare fraud and could face up to 10 years in prison.
Dr. Hsiu-Ying “Lisa” Tseng, 46, was sentenced to serve 30 years to life in state prison after being convicted on three counts of second-degree murder and other charges after a jury found she contributed to the deaths of three patients by prescribing large amounts of unnecessary drugs. The prosecution alleged that Tseng sometimes kept no medical records of visits or patient prescriptions and faked documentation when she was being investigated.
Deeper Dive: Integrating Physician Practices into a Health System’s HIPAA Privacy and Security Program
The health system needs to understand its IT capabilities and operating competencies and develop the required infrastructure to support clinical integration of the physician practices
Improving alignment between hospitals and physicians is essential to change the way care is delivered. The health system’s IT infrastructure, data sharing, and data analytics are key to a successful integration. However, rather than fully integrating as one healthcare system, many are a collection of different hospitals and physician groups, each with their own information systems for patient records, billing, scheduling, and release of information practices that create a patchwork of IT systems and varying degrees of privacy and security resources dedicated to maintaining these systems.
June 28-29, 2016
Washington, D.C., Partner Lee H. Rosebush will present on “Drug-Pricing as It Relates to Pharmaceutical, Pharmacy, and PBM Contracting – What Does It All Really Mean?” at the American Health Lawyers Association Annual Meeting in Denver, CO.
September 26, 2016
Washington, D.C., Partner Lee H. Rosebush will present on “Compounding-503(b)” at the National Association of Specialty Pharmacy (NASP) Pharmacy Law Conference in Washington, DC.