To paraphrase a famous quote, "Those who do not learn from history are doomed to repeat it," and providers who ignore the significance of the federal government's healthcare fraud enforcements efforts in 2012 do so at their own peril. As expected, 2012 saw an increase in the number of criminal, civil and administrative enforcement cases, fueled by additional funding and enforcement tools provided by the Affordable Care Act (ACA) and other regulatory overhauls that are fundamentally reshaping the healthcare industry. But 2012 also included unexpected and unprecedented developments that could serve as important indicators of what's to come in 2013. Using lessons from 2012, we have compiled a list of the ten fraud and abuse enforcement trends that providers simply cannot afford to ignore in 2013:
- Hospitals beware: Increased enforcement activity may be headed your way.
In 2012, large pharmaceutical companies frequently were targeted in enforcement actions. Many of the pharmaceutical industry's biggest players, including Abbott, GlaxoSmithKline (GSK) and Pfizer, settled allegations of off-label promotion and improper sales conduct by paying millions and, in some cases, billions of dollars to the federal government. However, now that most of these large pharmaceutical companies have resolved their fraud and abuse liability, the federal government appears to be shifting its enforcement focus to hospitals. The year 2012 saw a general increase in the number of settlements involving hospitals, with many settlements focusing on allegations that the hospitals were admitting patients for the performance of services, such as kyphoplasty services, that should have been performed on an outpatient basis. These settlements involved some large and well-known hospital systems and resulted in substantial recoveries for the federal government. Hospitals can expect more of this enforcement activity in 2013.
- When it comes to HIPAA/HITECH enforcement, the gloves are off.
The HHS OCR published an unprecedented number of settlements stemming from breaches of unsecured electronic health information under HIPAA/HITECH in 2012. In doing so, OCR sent a strong message to the healthcare industry: the time for education is over -- the time for enforcement is now. For example, the OCR published the first ever settlement agreement stemming from a breach affecting less than 500 individuals in 2013, further demonstrating its zero tolerance approach towards HIPAA/HITECH violations. In addition, the long-awaited HIPAA Omnibus Final Rule finally has been released, increasing the penalties noncompliant providers could face. In light of the Final Rule, we can expect record-breaking levels of HIPAA/HITECH enforcement activity to continue in 2013.
- More individuals, including C-suite executives, are being held personally accountable.
The federal government has demonstrated a willingness to supplement the deterrent effect of monetary penalties against noncompliant corporations by holding individuals, including corporate officers and executives, personally accountable for the actions of their corporation. This strategy was readily apparent in Friedman v. Sebelius (D.C. Cir., No. 11-5028, July 27, 2012). In Friedman, Purdue Frederick Company's president, executive vice president, chief legal officer and vice president of medical affairs each pleaded guilty to misdemeanor misbranding charges under the Responsible Corporate Officer (RCO) doctrine in connection with fraudulent marketing practices. Under the RCO, the government did not need to prove that the executives intended to violate the law -- just that they failed to prevent violations occurring within the company.
But the federal government's efforts to hold these individual's accountable did not stop with the criminal prosecution. The HHS OIG also moved to exclude the Purdue executives from participation in federal healthcare programs for a period of 20 years. While the length of these exclusions was eventually reduced, Friedman sent a clear message that fraud and abuse will be addressed at the individual as well as the corporate level.
Two other 2012 cases further demonstrated this approach. In its plea agreements with GSK and Abbott Pharmaceuticals, the DOJ required the president of GSK's North American Pharma Division and Abbott's CEO to personally certify, under penalty of perjury, that their respective companies had satisfied the government's compliance requirements under the agreement. Such Sarbanes-Oxley-type certification requirements underscore the government's focus on deterring fraud and abuse by holding individuals, including corporate officers and executives, personally accountable. As 2013 promises to bring more of the same, C-suite executives should be aware that failing to be actively involved in their organization's compliance efforts could result in personal liability.
- OIG's broadly interpreted permissive exclusion authority for misdemeanor conduct "related to fraud" may make some executives think twice about pleading guilty.
In addition to revealing the federal government's intention to hold corporate officers and executives personally accountable, Friedman also may have affected the strategy by which individuals charged with criminal healthcare fraud offenses choose to resolve their case. Recall that in Friedman, the Purdue executives pleaded guilty in a criminal case to a misdemeanor charge of off-label promotion of drugs. This charge did not require any proof or admission by the defendants that they had engaged in fraudulent or intentional misconduct. Nonetheless, the OIG exercised its permissive exclusion authority against the executives on the basis that a conviction for misbranding of a drug constituted a misdemeanor "relating to fraud" under 42 U.S.C. § 1320a-7(b). In upholding the exclusion, the D.C. Circuit Court of Appeals reasoned that the exclusion statute was intended to apply broadly to any conviction that has a "factual connection" to fraudulent conduct, even if the offense charged does not require proof of fraud. In light of Friedman, individuals should consider the consequences of pleading guilty to misdemeanor charges in an effort to resolve a case that could include felony charges, as doing so could result in exclusion if the OIG finds that the misdemeanor has a factual connection to fraudulent conduct.
- Plea agreements may be used more frequently as a compliance tool.
The DOJ has demonstrated that it was not opposed to placing offending companies under its own compliance supervision via a plea agreement, which could include more severe consequences for noncompliance than those typically found in a corporate integrity agreement. The GSK and Abbott plea agreements each included numerous compliance mandates that, if violated, could unravel the plea agreement and result in new criminal charges being filed, in addition to significant monetary sanctions. These plea agreements, as discussed above, also imposed certification obligations, under penalty of perjury, on each company's corporate executives. While these plea agreements do not necessarily indicate a formal shift in the DOJ's healthcare fraud prosecution policies, organizations should be aware of the DOJ's inclination to use plea agreements as an additional compliance tool.
- Expect government action to address alleged fraud related to electronic health records.
On September 24, 2012, HHS and the DOJ sent a letter to the country's leading hospital associations discussing their concern that electronic health records (EHRs) were being used "to game the system" in furtherance of fraud and abuse in the nation's healthcare programs. The letter did not include any guidance to providers, but it did indicate that "appropriate steps" would be taken to combat fraud and abuse related to EHRs. The letter indicated that action could include administrative payment suspensions and/or criminal prosecutions.
- Employment of excluded individuals will continue to be an enforcement priority.
Of all the actions in which OIG has assessed CMPs against a provider, either based on the provider's self-disclosure or another source, 57 percent of the CMPs were imposed for employing excluded individuals. A long-standing concern by the federal government, the employment of excluded individuals will remain a major enforcement priority in 2013 that healthcare providers must address by implementing effective screening processes.
- More regulations are on the way.
In addition to the HIPAA Omnibus Final Rule, several other rules and regulations, many of which are required under the ACA, have been published or are slated for publication in 2013. For example, the recently issued Physician Payment Sunshine Act Final Rule will require mandatory disclosure of payments between manufacturers and physicians. Additionally, rules regarding mandatory compliance programs and overpayment refunds also are expected in 2013. These rulemakings could have a dramatic impact on the healthcare industry, and we will continue to monitor these issues.
- Healthcare fraud and abuse enforcement is big business, involving big dollars, and will only continue to expand.
In a recent speech, HHS Inspector General Daniel Levinson opined that 20-30 percent of all healthcare spending was waste and abuse. Pursuant to this position, in 2012 the federal government continued to aggressively pursue recovery of these funds by securing substantial settlement payments, including multiple billion dollar settlement payments, from noncompliant providers. States also are getting in on the act. For example, the Texas attorney general's office recently reported a new state record of $1 billion in Medicaid fraud recoveries over the last ten years; $400 million of which was returned to the state's coffers. Because fraud and abuse enforcement and recovery efforts tend to be well received on both sides of the political aisle, expect continued expansion of fraud and abuse enforcement activity by federal and state government in 2013 and beyond.
- Providers should think outside the box when developing and/or improving their compliance programs.
While BakerHostetler has had much success in defending against the enforcement activity described above, the first step in mitigating or avoiding enforcement is an organization's commitment to compliance with federal and state healthcare laws and regulations, including the anti-kickback statute, Stark and physician self-referral laws, billing compliance and HIPAA and privacy breach regulations, among other risk areas. BakerHostetler routinely designs and assists healthcare providers with the implementation of corporate compliance programs, which memorialize an organization's commitment to compliance and allow for early detection of possible fraud and abuse issues.