The 2020 AHLA Fraud and Compliance Forum provided many COVID and non-COVID related healthcare industry updates. We previously summarized the top trends and developments centered around physician compensation in Part 1. Here, in Part 2, we focus on additional important industry updates from the forum.

1. Telehealth: The “Last Frontier of Medicine”

“The walls are falling down […] to make telehealth a more robust part of our health system in the United States.”

– Terrence Lewis, Senior Associate Counsel, Univ. of Pittsburgh Medical Center

Telehealth exponentially grew from 2019 to 2020 in response to the COVID-19 pandemic. Panelists discussed several key changes in the rules and regulations governing telehealth which will last, at a minimum, through the public health emergency (“PHE”). Key PHE-related items discussed include the following:

  • CMS issued temporary COVID-related Section 1135 waivers to ensure continuity of care and reduce the risk of COVID-10 transmission, notably that Medicare can pay for telehealth visits, virtual check-ins, and e-visits and services provided in any setting (i.e. not just limited to rural areas).
  • 135 new CPT codes were added to the Medicare telehealth services list with 89 of those authorized to be furnished via audio-only devices. Since the conference, CMS announced on October 14th, 11 new telemedicine codes and a State Medicaid and CHIP Telehealth Toolkit.
  • HHS Office for Civil Rights announced it will exercise enforcement discretion and waive penalties for Health Insurance Portability and Accountability Act (HIPAA) violations against health care providers that serve patients in good faith through everyday communications technologies during the PHE.
  • The CARES Act contains several measures to streamline telehealth grant programs, established that Federal Qualified Health Centers or Rural Health Clinics may provide telehealth services to Medicare beneficiaries, permits telehealth physician visits for dialysis patient clinical assessments, allows for certification of hospice services via a telehealth rather than a face-to-face encounter, and encourages use of telehealth for home visits.
  • The OIG issued Policy Statements (issued March 17, 2020 and April 3, 2020) with the intent of making sure health care providers have the regulatory flexibility necessary to respond adequately to COVID-19 concerns.

Panelists additionally noted that the OIG has recognized telemedicine as one of the top fraud schemes related to COVID-19. As the OIG has near real time access to Medicare data, it will be taking a data driven approach, using the Division of Data Analytics (DDA) to closely monitor telehealth services and track numerous items daily (including telemedicine billing by NPI taxonomy, dollar amounts, codes utilized, billed categories, and HCPCS modifiers).

While telehealth is a new frontier, AKS, Stark, CMP still apply and healthcare providers should be careful to keep abreast of telehealth changes, both temporary and permanent, to ensure compliance with all requirements. LBMC’s Healthcare Consulting team assists healthcare providers with the development of their telehealth strategy and in billing compliance matters.

2. Private Equity

“This [healthcare] will continue to be a sector to invest in, notwithstanding the ebbs and flows of the economy, with the caveat that some sectors will do better than others.”

Phil Watts, General Counsel, OneOncology

Private equity investment in healthcare was upward of $78.9 billion dollars in 2019. Panelists attributed private equity’s investment in the sector as key to the sector’s growth. The PHE ushered in, and will continue to contribute to, changes in market conditions as private equity continues to pursue investments in healthcare.

The panelists also discussed that private equity’s push for profits may run counter to, or supersede, the goal of providing the best patient care or compliance with various regulatory requirements.

“Private equity brings a transition and an intense scrutiny [,,,]  to the business.”

– Lisa S. Rivera, Member, Bass, Berry, & Sims

Private equity should expect government scrutiny and should consider the risks of participating in the healthcare sector. Panelists emphasized private equity must look behind strategic, financial, governance, and operational goals to understand the implications of various regulations, exercise due diligence to meet those requirements, and create an effective compliance program. Panelists discussed the following cases at length:

  • The Department of Justice (“DOJ”) recently announced its $21.36 million settlement with compounding pharmacy Patient Care of America (“PCA”), two of its executives, and a managing private equity firm to settle alleged False Claims Act violations. Allegations included an illegal kickback scheme to generate referrals (notwithstanding patient need) by paying excessive commissions to marketers to recruit beneficiaries and doctors for prescriptions. The panelists noted that the private equity company jointly managed PCA’s operations and the DOJ alleged the private equity firm knew PCA submitted false claims, was advised by counsel of potential AKS violations, and knew that reimbursement was from a government payor (TRICARE). The DOJ additionally alleged measures were not taken to ensure appropriate compliance, such as no effective compliance program in place, no compliance committee, and no qualified chief compliance officer.
  • Mental health care company, South Bay Mental Health, was accused in 2018 of billing Massachusetts’s Medicaid program fraudulently. Private equity invested in South Bay and the firm knew some employees were unlicensed, unqualified, and unsupervised, but did not make corrections even though the firm made up a majority of the board and participated in operational decisions (e.g., contract approval, strategic planning, budgeting, and earnings considerations). Panelists emphasized that, after the transaction closed, the private equity firm had a majority of seats on board and supervisory roles such that the issues could be fixed but they were not. Per the panel, this case will likely be decided soon.
  • On September 9th, the DOJ announced a $50 million settlement with Wheeling Hospital regarding FCA allegations that Wheeling Hospital violated the AKS and Stark. The DOJ alleged that the hospital, under its management company’s control, improperly compensated referring physicians based on the volume or value of referrals. The panelists noted several specific allegations that the management company was involved with management functions at the hospital, financial supervision, legal strategy, regulatory compliance, and staffing decisions such as physician recruitment and physician practice acquisition.

Panelists also pointed to the DOJ’s recent corporate compliance program guidance which outlines specific questions the DOJ will be asking in the evaluation of compliance programs.

Private equity should strive to understand the healthcare regulatory environment, seek competent healthcare counsel, and establish effective compliance programs. LBMC’s Transaction Advisory Services team assists private equity clients in financial, tax, information technology, and human resource/benefit due diligence on both the buy- and sell-side of M&A transactions. LBMC’s Healthcare Compensation Valuation team assists healthcare entities across the nation in designing, assessing and valuing compensation under a wide variety of arrangements, including those with private equity portfolio companies.

3. Government Agencies Increasingly Use Data Analytics

“First and foremost, when we are identifying risk areas, we’re looking specifically at program vulnerabilities. We are utilizing data analytics…we also rely on our hotline, on qui tams and tips that we receive, and, of course, on collaboration. OIG collaborates both across its own different disciplines and with other federal partners as well as with private entities.”

  • Megan Tinker, US Department of Health and Human Services

Various government agencies (i.e. OIG, CMS, DOJ, FBI and other agencies) are making a concerted effort to work together to identify and investigate areas of fraud, waste, and abuse by utilizing different enforcement tools (such as the Health Care Fraud Strike Force model), sharing data, and leveraging data analytics.

The OIG’s Division of Data Analytics is tracking multiple areas of concern on a daily basis, including lab billing, pharmaceuticals, diagnostic codes, telemedicine billing by NPI taxonomy, dollar amounts, codes utilized, billed categories, HCPCS modifiers, and so forth to identify areas of concern. By using predictive analytics, fraud and errors can be identified before payments are made. Data-mining and matching helps detect fraud or improper payments that have already been awarded. Data analytics is also being used to monitor providers prescribing practices.

It is important that health organizations use data analytics to identify program vulnerabilities, review coding and evaluate specific benchmarks. LBMC’s Healthcare Consulting team assists healthcare providers in developing tailored data analytics reports to support strategic decisions, predict trends, and promote better business management.

4. Cybersecurity

“I cannot emphasize enough that as providers adopt more telehealth, cybersecurity is only going to be a bigger and bigger issue. It’s already a huge issue in healthcare and telehealth is […] going to increase the footprint of risk for providers.”

  • Andrew VanLandingham, US Department of Health and Human Services

Cybersecurity continued to be an area of emphasis with panelists speculating that cybersecurity concerns will continue to grow as telehealth expands. As part of the OIG’s continued focus on cybersecurity, it has implemented a Computer Crimes Unit to focus on cybercrimes affecting HHS networks and assets in addition to updating the OIG Work Plan as related to the audit of foundational cybersecurity controls for the U.S. Healthcare COVID-19 Portal and Protect.HHS.gov. Other resources panelists provided were the HHS Health Care Cybersecurity Coordination Center (HC3) to provide victim notifications to providers and others, the Office of Civil Rights Cybersecurity Guidance to cybersecurity professionals, and the Office of the National Coordinator for Health Information Technology’s security resources for providers. Panelists suggested organizations continue to be aware of cybersecurity concerns and make efforts to protect against breaches.

LBMC’s CyberMaxx offers cybersecurity services to help providers prevent, defend, and respond to cybersecurity issues. Amid the COVID-19 pandemic, increased vulnerabilities from emerging medical delivery models and changing consumer demands will impact data security and patient care. You can read about these issues by downloading CyberMaxx’s Future of Cybersecurity in Healthcare document.

5. CARES Act Provider Relief Funds

“We in HHS have been working hard […] to be able to distribute the appropriations that Congress provided […] to help […] those healthcare providers on the front lines.”

  • Susan Monarez, Health Resources & Services Administration

Panelists discussed the CARES Act and Paycheck Protection Program and Health Care Enhancement Act which supplied $175 in provider relief funds (“PRF”) to healthcare providers. The pre-payment process includes determining eligibility, validating tax ID numbers, and applying for funding. Panelists noted that common issues with the pre-payment process include:

  • The submission of tax return and revenue information to determine General Distribution payment amounts,
  • Authentication prior to application when an entity’s tax identification number is not on the General Distribution curated list, and
  • The submission of admissions data to qualify for High Impact payments.

The post-payment processes includes receiving payment, accepting payment and attesting to certain terms and conditions (i.e. applying the monies received to permissible uses that are not reimbursed by another a sources), and then reporting on the use of funds. Panelists noted that common issues with the post-payment process include:

  • Change of ownership hurdles,
  • Peculiarities of using funds within a healthcare system,
  • Balance billing prohibitions, and
  • Exclusions on use of funds for salaries above a certain limitations.

Additionally, any PRF recipient may be subject to audit requirements, including Single Audit provisions.

Companies receiving any form of funding under the CARES Act or other federal funding programs should review the program to determine applicable reporting and audit requirements. LBMC can help navigate the CARES Act distribution process. LBMC also helps companies begin to prepare for Single Audits and provides guidance regarding how to maintain compliance while using the payments received.

6. Compliance and Risk Assessments

“The absence of a high‐functioning compliance program may be used to establish [FCA] intent.”

– Thomas Beimers (former Senior Counsel with HHS OIG)s (former Senior Counsel with HHS OIG)

Panelists discussed the DOJ’s evaluation of the effectiveness of corporate compliance programs, recommending that organizations should:

  • Develop and update risks assessments,
  • Continuously monitor and update compliance programs, and
  • Devote appropriate resources to the compliance programs.

Panelists also discussed the OIG Permissive Exclusion Authority and Compliance Program, noting that the existence of a compliance program that includes the U.S. Sentencing Commission Guidelines Manual’s seven elements of an effective compliance program does not affect the risk assessment, but the absence of such indicates a higher risk and if an entity has devoted significantly more resources to the compliance function, this indicates a lower risks.

Summary

LBMC’s Ballast tool has been designed to transform your assessment-focused activities into a true risk management solution using reporting dashboards, automated remediation tracking, and one-click compliance reporting.