In the noisy public debate over the wisdom and constitutionality of the Patient Protection and Affordable Care Act (PPACA), the individual mandate and other insurance-related provisions have received most of the attention. This has allowed powerful fraud-fighting weapons that were created or enhanced by PPACA to go relatively unnoticed. Health care providers ignore these weapons at their peril.
This article will address three products of PPACA that seem to have come together at the same time: the Center for Medicare & Medicaid Services' (CMS) new data gathering/data mining system, the agency's enhanced ability to sanction providers, and the power given to, and exercised by, Zone Program Integrity Contractors (ZPICs). While the ZPICs predate PPACA, their utilization of the PPACA-funded data mining system has made them much more dangerous.
Individually these additions to the government's enforcement arsenal have largely operated under the radar. Their cumulative impact, however, is substantial. As a result, providers must update and strengthen their compliance programs to prevent and correct compliance errors before the commencement of any government audit or investigation. Providers also should have clear procedures, communicated to employees in advance, for handling an unwelcome knock on the door.
Increased Funding to Fight Fraud
One fraud-fighting tool given to the government by PPACA stands out as the most important because it makes most of the others possible – significant new appropriations. PPACA provided mandatory appropriations of $1.7 billion each for fiscal years (FYs) 2010 and 2011 to fund the fraud enforcement efforts of the Department of Health and Human Services (HHS), the HHS Office of Inspector General (OIG), the Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI). PPACA also provided discretionary appropriations of $311 million for FY 2010 and an estimated $561 million for FY 2011.
Much of this funding has been used, and it has borne fruit (or drawn blood). For example, DOJ's Civil Division has doubled the number of lawyers in its Frauds Section. In addition, CMS has established the Center for Program Integrity that has heavily invested in personnel, hardware, software, and programming to verify and crosscheck vast amounts of data – the data mining alluded to earlier.
So far, there has been a strong return on the government's investment. On February 14, 2012, DOJ and HHS announced that their joint Fraud and Abuse Control Program, which has been utilizing the resources authorized and funded by PPACA, recovered nearly $4.1 billion in FY 2011.
The National Fraud Prevention Program
The increased funding has paid for new investigative and enforcement tools. CMS' data gathering/data mining program is the centerpiece of the agency's new proactive approach to claims processing and provider enrollment. While the roll out of this program began two years ago, it has gone relatively unnoticed. Providers, however, should be aware of just how much information CMS has about them in its data bank and how this information is being used.
In April 2010, the Center for Program Integrity (CPI) was created as a component of CMS. The Fraud Prevention System, which monitors all fee-for-service claims prior to payment, was implemented on June 30, 2011, and Automated Provider Screening, which monitors enrollment applications, was implemented on December 31, 2011. The data collected by CMS under these programs, as well as data from external databases, is being used to deny claims, initiate fraud investigations, and exclude providers from Medicare and Medicaid. In addition, the data CMS collects will be shared with federal law enforcement agencies, state health care agencies, and private insurance plans.
The Fraud Prevention System. Historically, CMS has paid claims and then, if warranted, initiated recovery of overpayments (known as "pay and chase"). The Fraud Prevention System (FPS) is CMS' effort to be more proactive by utilizing prepayment review to deny individual claims and/or initiate fraud investigations. Characterized by CMS as "new predictive modeling technology," FPS has been screening all Medicare fee-for-service claims, prior to payment, since June 30, 2011. According to CMS, 4.5 million claims per day are being monitored. The FPS utilizes "sophisticated algorithms and models to identify suspicious behavior."The FPS also uses historic data and external databases to build "robust" profiles of providers and suppliers. The use of external databases is characterized by CMS as "Social Network Analysis," which is designed to acquire information "through associative link analysis." These profi les, in turn, are used to identify "unusual billing patterns"to determine "the likelihood of fraudulent activity." Based upon all available information, risk scores are calculated and alerts are generated automatically and prioritized according to risk. The results are provided to ZPICs, contractors tasked with, among other things, identifying potential fraud by comparing a provider's billings with those of similarly situated providers. Results also are provided to law enforcement personnel.
The FPS has begun to produce results, according to the OIG's recently released Semiannual Report to Congress , covering October 1, 2011 - March 31, 2012, which touts OIG's "focus on data analytics as a critical tool for enhancing our fraud, waste, and abuse activities." The OIG goes on to state that "OIG's data warehouse is a key component of our strategic use of information technologies [because it] integrates data from Medicare Parts A, B, and D so we can develop a more comprehensive picture of beneficiaries' histories of medical care and providers' billing patterns."
The report also mentions that "OIG's new hospital compliance initiative illustrates the impact of technology on our ability to identify suspect claims and noncompliant billing practices." In addition, "[t]he data-driven approach of the [Medicare Fraud] Strike Force pinpoints fraud hot spots through the identification of suspicious billing patterns and targets criminal behavior as it occurs."
Automated Provider Screening (APS). The APS, which was implemented on December 31, 2011, is an automated provider enrollment screening tool that crosschecks information received from providers on their Medicare enrollment applications against thousands of public and private databanks to verify and supplement the information submitted by providers. The APS also is intended to identify providers that may be high-risk based upon the information in their enrollment applications. The APS will routinely rescreen information submitted by providers for continued accuracy and to ensure the continued eligibility of a provider. All of this information will be housed in a central databank and will be used for the ongoing monitoring of all existing providers. CMS will share its information on providers with states, law enforcement agencies, and private insurance plans.
Indefi nite Suspension of Payments HHS is now authorized to suspend indefinitely all Medicare and Medicaid reimbursement payments to a health care provider "pending an investigation of a credible allegation of fraud." This includes allegations from any source, even an anonymous source. CMS' implementing regulations define a "credible allegation of fraud" to include anonymous fraud hotline complaints, patterns identified through data mining, and investigations under the False Claims Act. This presumably includes complaints by whistleblowers, which are required to be fi led under seal. Allegations are "credible" when they have "indicia of reliability." Prior notice of a suspension is not required nor is notice of the reason for the suspension. Providers are not required to be informed of the origin or nature of the allegations of fraud or why they are considered to be credible.
Because PPACA authorizes a suspension pending the investigation of a credible allegation of fraud, CMS' regulations define the conclusion of the investigation as the termination of legal action by settlement, judgment, dismissal, or when the case is dropped for lack of sufficient evidence. While the regulations limit any suspension to 18 months, a suspension can be extended if administrative action is pending or being considered by OIG, or if DOJ requests a continuation of the suspension based on an ongoing investigation and an anticipated or pending criminal prosecution or civil action. Thus, for all intents and purposes, a suspension can be indefinite, leaving either settlement or going out of business as the only feasible options for many providers.
The new investigative tools and power described above have been put in the hands of existing, but newly strengthened contractors, ZPICs. ZPICs have the authority to utilize the data collected by CMS' data mining system and to suspend payment to providers based on a credible allegation of fraud. Such an "allegation" can be a pattern identified through data mining. As such, the ZPIC may be the most dangerous weapon in CMS' new arsenal.
CMS' use of contractors to recover Medicare funds is nothing new. It has engaged Recovery Audit Contractors (RACs), who are paid on a contingent fee basis; Medicare Administrative Contractors (MACs); and Medicaid Integrity Contractors (MICs). ZPICs are the newest and most aggressive.
Unlike the other contractors, ZPICs are tasked with ferreting out fraud, in addition to recovering overpayments. According to CMS, they will tackle all benefit integrity activities across the country and form "rapid response teams" with a more aggressive fraud-fighting mandate. Pursuant to the statement of work in a ZPIC contract with CMS, ZPICs are to review and analyze a variety of data to identify vulnerabilities and/or specific providers for review and investigation. Potential fraud and abuse cases are referred to law enforcement while the ZPIC pursues administrative actions such as the suspension of payments, the exclusion of providers from Medicare, and the implementation of claims processing edits that limit or stop payment to suspect providers. ZPIC audits usually are unannounced or initiated with very little notice. The contractors are authorized to conduct both prepayment and post payment review of claims, in the course of which they may interview the provider's patients and employees. Typically, they request medical records and because they are authorized to engage in statistical sampling and extrapolation in determining whether there is fraud, may only review a small sample.
So far, ZPICs have targeted small providers who lack the resources to fi ght back. Because they have the authority to investigate Medicare claims under Parts A, B, C and D, there is no reason to believe that larger providers, such as hospitals, will not be investigated by ZPICs once the hospital data that have been mined is analyzed.
How to Protect Yourself and Your Organization
Providers should take steps to both specifically respond to a government or ZPIC audit and generally minimize the chances of encountering, and maximize the chance of surviving, any compliance audit or investigation.
Responding to a Government or ZPIC Audit. If your facility should receive an unwelcome knock on the door from a ZPIC or from any other government enforcement agency, you should take the following steps:
- Designate a person, usually the compliance officer, to be the point of contact with the ZPIC or other investigator. All communications to and from the ZPIC should go through the person designated as the point of contact. Ideally, this person should have been designated in advance, and all personnel should have been advised of the identity and responsibilities of the contact person. The contact person, together with legal counsel, should coordinate the audit.
- Immediately notify legal counsel. If at all possible, access to the premises and records should be coordinated with counsel. If counsel is not readily available, ask the ZPIC if it is acceptable to await counsel. If the ZPIC is insistent, however, don't give him or her an excuse to claim that you were obstructing the investigation.
- Remind employees that all communications with the investigator must go through the contact person unless the ZPIC specifically requests an interview with an employee (or employees).
- Immediately instruct all personnel in writing that no records – whether paper, electronic, or microfiche – are to be destroyed.
- Immediately commence compiling the records being sought by the investigator.
- Advise all employees that they have the right to speak to the investigator, the right to postpone an interview, and the right to decline to be interviewed. Employees should be advised that they have the right to counsel in making a decision on whether to be interviewed, and the right to have counsel present during any interview. Be sure to make it clear, however, that the organization's counsel does not, and cannot, represent them. Employees also should be warned that the ZPIC may attempt to speak to them at home or elsewhere off-site, outside of normal business hours.
- Implement a document management system that includes the date stamping of all documents, the scanning of duplicate documents, and the inclusion of a cover letter listing the documents being submitted.
- Keep careful track of all deadlines. If additional time is needed to collect and submit the requested documents, ask for it and make sure there is written documentation of any agreement to allow additional time.
- You should be able to discern the subject of the investigation from the nature of the documents being sought by the investigator. Once you have a general idea of what the investigator is looking into, you should commence an internal investigation into the probable areas of the investigator's inquiry to allow you to ascertain what you are facing, and begin to defend yourself. The internal investigation should be supervised by legal counsel to ensure that is privileged.
Preventive Measures. The best protection against unpleasant encounters with government or contractor enforcement personnel is the implementation of an effective compliance program. Such a program should keep violations to a minimum and provide early warning of a problem. It is always preferable to learn of a problematic practice from an internal compliance officer rather than from the government or investigator. More to the point, PPACA requires all providers to certify that they have implemented an effective compliance program.
PPACA requires compliance plans to contain "core elements" established by the HHS Secretary in consultation with OIG. These "core elements" have not yet been established. As a result, providers should utilize the OIG Compliance Program Guidance for their industry sector. They have a number of common elements, often referred to as the "seven pillars of compliance." These include implementing written policies and procedures; designating a compliance officer and committee; conducting effective training, education, internal monitoring and auditing; enforcing standards through well-publicized disciplinary guidelines; and responding promptly to detected problems and undertaking corrective action.
To be effective, a compliance program must have the support of the highest levels of the company. The board and senior management must be committed to the program and must evidence that commitment not only through direct written and verbal communications, but also by providing the resources necessary to the operation of the program. An excellent compliance program plan containing all of the right elements is worthless if it only sits on a shelf in a binder and is never used.
Good Employee Relations
One final way that you can protect your company is to make sure that management understands the importance of maintaining good employee relations. The False Claims Act, which is the government's primary enforcement weapon, allows a whistleblower to initiate an action on behalf of the United States. Because employees are the people most likely to be aware of legal or regulatory violations, most whistleblowers are current or former employees. While whistleblowers are entitled to 15 - 30 percent of any recovery, this is not the primary motivation of many whistleblowers. Many false claims cases start out as employment disputes, while many others are initiated by conscientious employees who attempted to advise management of compliance issues. These employees are often ignored and treated as nothing more than abrasive troublemakers. This is a huge mistake.
If, for example, an employee in the billing department of a hospital tells management that the hospital is submitting Medicare claims that he or she believes are not in compliance with Medicare billing rules, the employee may well be right. Even if the employee is mistaken, however, ignoring her can lead to disaster. Unless she is satisfied that her complaints were taken seriously, she can quickly become disgruntled. As a result, a diligent employee has been transformed into a disgruntled employee (or former employee). From here, it is a short and easy step to becoming a whistleblower.
You can prevent whistleblower suits by taking all complaints, objections, and questions seriously. This means treating a complaining employee with dignity and explaining that the complaint will be fully investigated. If the practice in question is consistent with applicable law, the employee should be given the reasons for this determination. Ensuring that all employees raising compliance allegations are treated with respect is key to limiting the likelihood that an employee will become a whistleblower.
Originally published in CCH Health Care Compliance Letter, July 17, 2012
This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.
Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. The Duane Morris Institute provides training workshops for HR professionals, in-house counsel, benefits administrators and senior managers.