Health Care Client Alert – Health Care Compliance Update

    By Laura Dickson Rixey, Health Care

    Report & Return: The 60 Day Rule on Overpayments

    Section 6402(a) of the Affordable Care Act created an obligation for health care providers to report and return within 60 days any identified overpayments received by Medicare or Medicaid. Recently, the Department of Justice (DOJ) has reviewed complaints concerning violations of this overpayment provision, and huge financial liabilities have been imposed on noncompliant providers. In one instance, a Medicaid provider failed to disclose and return overpayments identified after a computer glitch caused Medicaid to be double-billed, resulting in a $2.95 million dollar settlement. Another identified overpayment violation resulted in a $6.88 million dollar settlement.

    A failure to report and return an overpayment within 60 days creates an obligation under the False Claims Act and subjects a provider to liability in the form of civil penalties or treble damages. To avoid such liability, the Centers for Medicare and Medicaid Services (CMS) has issued guidance for the reporting and returning of overpayments. First, effective compliance with the overpayment rule begins with the maintenance of a compliance program that is structured to uncover and act on credible information. Thus, when credible information suggests an overpayment may have occurred, a provider is able to follow the appropriate course of action. When credible information reveals that an overpayment may have occurred, the provider must conduct a reasonable inquiry into the matter. Providers should perform an audit to determine the amount of the overpayment. If an overpayment is identified, the overpayment must be disclosed and returned to CMS either within 60 days of identification or by the due date of a corresponding cost report. It is important that if an overpayment is identified, the proper guidelines are followed or else serious financial consequences may ensue.

    Human Error Still a Major Cause of HIPAA Breaches

    Recently, the U.S. Department of Health and Humans Services (HHS) Office of Civil Rights has reviewed two complaints where impermissible disclosures or protected health information (PHI) have led to significant fines and penalties. Though most people understand the essential purpose of safeguarding PHI, serious consequences can arise when personnel mistakenly and carelessly provide PHI to unauthorized individuals.

    St. Lukes-Roosevelt Hospital Center, Inc. operates the Institute for Advanced Medicine, which provides comprehensive health services to people suffering from HIV or AIDS and other chronic diseases. The Center was required to pay a settlement of $387,200 after a staff member impermissibly faxed PHI to a patients employer instead of sending the information to a post office box, as requested by the patient. The PHI contained in the fax was particularly sensitive, including the patients HIV status and sexual orientation. HHS also determined that this breach was similar to a similar breach of sensitive information by St. Lukes that occurred nine months earlier, which increased the scrutiny placed on the center.

    Similarly, Memorial Hermann Health System (MHHS) agreed to pay $2.4 million to HHS and implement a comprehensive corrective action plan after an impermissible disclosure of PHI. In September 2015, a patient presented a fraudulent identification card to office staff. The hospital quickly notified police and the individual as arrested. This disclosure to law enforcement was permissible under HIPAA. However, MHHS subsequently published a press release with the patients name in the title of the press release. The press release was issued to 15 media outlets and reporters. Senior hospital executives also disclosed the name of the patient to a state senator, to a state representative, to an advocacy group, and on its website. Such disclosures of a patients name were impermissible under HIPAA and HHS swiftly responded. Although the hospital was permitted to disclose certain information to law enforcement to cooperate with the investigation, the hospital was not permitted to breach patient confidentiality when making statements to the public and to certain other individuals.

    Stark Scrutiny in Physician Compensation Arrangements

    Providers must tread carefully when entering into compensation arrangements with employed physicians. Recently, a Missouri hospital system reached a $34 million settlement agreement with the DOJ due to Stark noncompliance. When ownership of an infusion center was transferred from a private practice to Mercy Hospital, the physicians of the practice were concerned that their compensation would be reduced because a substantial portion of their income came under the collection compensation model under the infusion center. While the Stark Law allows for profit sharing in the group practice setting, challenges can often arise when trying to mimic similar compensation arrangements outside of a group practice setting. In this instance the hospital addressed the physicians concerns by establishing a new work Relative Value Unit (wRVU) formula that considered the physicians lost profits and desired income. Essentially, the DOJ found that the compensation arrangement factored in physician referrals of patients to the hospitals infusion center, and therefore was in violation of the Stark Law.

    The Stark Law is a strict liability statute, and thus providers can face substantial liabilities when their actions are deemed noncompliant. Therefore, providers should be cautious and potentially seek counsel before structuring compensation arrangements for employed physicians.

    Missing the Mark on Medicares MACRA Requirements

    The Medicare Access and CHIP Reauthorization Act (MACRA) was signed into law in 2015 to replace Medicares sustainable growth rate formula. MACRA was put in place to reward physicians for providing higher quality care. The program established two tracks for payment: (1) a merit-based incentive payment system (MIPS) that provides incentives or penalties for reporting and meeting certain quality measures, and (2) an advanced alternative payment model (AAPM), which provides lump sum bonus payments for physicians with a threshold portion of their revenue or patients in a qualifying AAPM. Under MACRA, the Quality Payment Program (QPP) is the umbrella term to describe these tracks.

    Though the program initially began on January 1, 2017, a new study by KPMG and the American Medical Association found that medical practice leaders are uninformed about the compliance standards for the program. A survey, based on responses from 1,000 physicians involved in practice decision-making related to MACRA, found that fewer than 1 in 4 physicians were prepared to meet MACRAs statutory requirements. Though CMS has exempted physician practices with less than $90,000 in Medicare revenue or fewer than 200 unique Medicare patients per year, many practices are not exempt and could face financial penalties if they are found noncompliant with the statutory requirements. The study also revealed that 83% of physicians surveyed requested more educational information to better understand MACRAs requirements and financial implications. The American Medical Association provided a resources guide on their website in response to this request.

    The Health Care Practice Group at Kaufman & Canoles is ready and happy to assist you with any of your compliance concerns in any of these enforcement areas and beyond.

    * A special thanks to Megan Italiano for assisting with the research for and preparation of this alert.

    The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2024.