The Office of Inspector General (OIG) announced the launch of a new tool on its website titled the “Fraud Risk Indicator”. The OIG has stated that the purpose for the tool is to provide guidance on how it has evaluated risk in settling False Claims Act (FCA) cases and to publicize information about where FCA defendants fall on the OIG’s risk spectrum. This tool can benefit patients, healthcare industry professionals and other individuals who may find this information relevant. This tool will also benefit the public with information about providers charged under the FCA that are at high risk for committing healthcare fraud. The Indicator shows the Risk Spectrum from Highest Risk to Lower Risk.
Miami resident Adrian Abramovich certainly wasn’t laughing on Thursday May 10th, 2018 when the Federal Communications Commission (“FCC”) levied a $120 MILLION dollar fine on him for his alleged involvement in an illegal robodialing campaign. FCC Chairman Ajit Pai stated that Abramovich did not dispute that he had placed more than 96 million telemarketing robocalls over a three month period in 2016 without the recipient’s consent. Furthermore, Chairman Pai stated that Abramovich’s telemarketing campaign utilized caller ID “spoofing” which masks the calling party’s true phone number and causes the recipient’s caller ID to indicate that the call was being made by a local number. Abramovich’s telemarketing activities allegedly violated a variety of state and federal regulations; caller ID spoofing, for example, is expressly prohibited by the Florida Telemarketing Act, § 501.616(7).
With the record-breaking fine imposed on Abramovich, the FCC is sending a loud and clear message that it will not tolerate those individuals or entities that violate telemarketing laws. Any person or business engaged in telemarketing (be it a healthcare provider with a single telephonic sales representative or a business devoted to telemarketing with a 100 person call center) must heed the FCC’s unsubtle hint that enforcement activity of telemarketing laws is only heating up.
Many practitioners or establishments looking to enhance their practice and offer more treatment options to their patients are considering HCT/P and Stem Cell Therapy in addition to other traditional treatment options. However, before embarking on offering HCT/P or STEM Cell Therapy, a practitioner or establishment needs to carefully consider protocol and procedure for offering HCT/Ps or STEM Cell Therapy.
The FDA defines HCT/Ps as “articles containing or consisting of human cells or tissues that are intended for implantation, transplantation, infusion or transfer into a human recipient.” 21 CFR 1271.3(d). HCT/Ps include bone, ligament, skin, dura mater, heart valve, cornea, hematopoietic stem/progenitor cells derived from peripheral and cord blood, manipulated autologous chondrocytes, epithelial cells on a synthetic matrix, and semen or other reproductive tissue.
Healthcare regulatory compliance is too damn complicated sounding and scary! What the heck does it even mean? Basically it means making sure you’re following about a dozen specific laws, some of which interrelate. It’s a little like making a cake. You have to make sure you have flour, eggs, sugar and so on. And then you have to make sure you put enough in the bowl and bake it at the right temperature. So what’s so unique re healthcare regulatory compliance? Healthcare professionals and businesses are inundated by these confusing laws written in legalese, to the point where they go numb. They lose the ability to focus on them and to take them seriously. And they hire someone that uses the word “consultant” or “compliance”; and they think they’ve got compliance covered. But they don’t. And that’s a big mistake in the healthcare world!
I had a law school professor who repeatedly referred to his class as “Doom at Noon.” The topic was dry, the cases were boring and, if not for the professor himself, the class would have been unbearable. I think of that, all these years later, every time I have to counsel a client on a topic that makes his or her eyes glaze over, like healthcare compliance.
Compliance means that you’re operating within the bounds of law. Sure, it sounds boring, but it’s a giant undertaking for any business, and especially for one so regulated as healthcare. Over the last three decades, the Department of Health and Human Services’ Office of the Inspector General has urged the private healthcare community in to take steps to combat fraudulent conduct and prevent the submission of erroneous claims.
The dominant forces of change in the addiction treatment industry are law enforcement and insurance companies. The focus and impact of insurers is currently focused on the argument that what treatment providers do isn’t medically necessary. This rationale is undeniably misguided and is the biggest threat to the survival of many health care providers, including those at the forefront of adapting to the demands by implementing meaningful legal regulatory compliance. This focus of this article is a parallel intervening factor in the addiction treatment industry: that of law enforcement, most notably in Palm Beach County, Florida. Consequently, providers in the addiction treatment space and their employees are becoming increasingly familiar with the concept of immunity as they are deal with law enforcement on a routine basis.
We assume there are bad-actors in the addiction treatment space. There are bad-actors in every industry and profession. No one can appreciate that more than this article’s co-author, Randy Goldberg. He is a retired Florida law enforcement professional, who spent a significant portion of his career investigating law enforcement officers for alleged criminal misconduct, having been deeply involved in the arrest and successful prosecution of law enforcement officers who abused their authority and strayed to the dark-side of the law.
In the last few months, settlements related to potential violations of HIPAA and the Security Rule have ranged from $31,000 to $5.5 million. The smallest settlement amount, $31k, for potential HIPAA compliance breach violations related to one missing Business Associate Agreement (“BAA”) between a pediatric group and an ePHI records storage company that had come under HHS’ Office of Civil Right’s (“OCR”) scrutiny. The pediatric group used the ePHI record storage company since 2003, yet could not locate or provide a signed BAA to the OCR prior to 2015. The outcome of the OCR’s compliance review indicates that internal risk analysis and risk management was not thoroughly undertaken.
The largest settlement reached was $5.5 million to be paid by Memorial Healthcare Systems (“MHS”) located in south Florida. MHS operates 6 hospitals, an urgent care center, a nursing home, and numerous ancillary healthcare facilities. Additionally, MHS is affiliated with physician offices through an Organized Health Care Arrangement. MHS experienced a breach that potentially compromised the ePHI of over 115,000 individuals, when impermissible access by its employees and impermissible disclosure to affiliated physicians occurred through the use of the login credentials of an affiliated physician’s former employee. Although MHS reported the breach and had policies and procedures in place related to HIPAA and the Security Rule, it had not implemented procedures for reviewing, modifying, and/or terminating users’ rights of access as required by HIPAA. Further, MHS failed to regularly review records of information system activity, in applications that maintain ePHI, by employees or workforce users or users at affiliated physician practices, even though MHS had identified such risk during risk analysis conducted from 2007 to 2012.
As healthcare professionals, we take pride and care in the detail in maintaining our employee files. Certain items must be separated from the others, files securely locked and out of reach from co-workers hands. Personnel’s personal information must be protected. We all know these things and probably already have a procedure in place for compliance.
Whether your facility has been deemed accredited (Joint Commission, for example) or just starting up, employee files must be maintained, reviewed, audited, and kept according to retention requirements. Knowing which laws apply aids in keeping your business compliant. For example, pursuant to ERISA laws, there is no specific time period to maintain records that reflect age, marital status and/or service records. The Social Security Acts states that employees’ social security numbers must be kept four years from the tax due date or payment of tax, whichever is later. So, there’s a lot of tracking going on.
One of the biggest challenges faced by addiction treatment providers today, especially in Palm Beach County, Florida, arises in the context of unprecedented pressure by law enforcement via the Sober Home Task Force, newspapers and insurers. The threat of being targeted by law enforcement is an enormous thing in itself. Add to that the mainstream media’s insatiable desire for readers, the industry’s drop into insurer red flagging and recoupment, the political football nature of addiction and addiction treatment, and treatment providers can lapse into a state of paralyzed tunnel vision, a sort of mass hypnosis. Here’s the problem: providers dealing with the current compliance crisis environment have a lot to lose if they take their eye off the bigger picture. The more absorbed they become in “crisis mode,” the more likely they will miss important addiction treatment compliance details in an increasingly regulated and changing industry. Losing the ability to see the entire picture (and trends) and quickly adapting to it can have costly (and even deadly) consequences.
The addiction treatment industry is like any other healthcare provider—enormously and increasingly regulated, highly scrutinized and always dynamic. The moment it took on features of traditional healthcare (e.g. lab and physician services), it left the relatively warm and fuzzy comfort of behavioral health providers, sorta. “Sorta” because medical behavioral health (e.g. psychology and counseling) has not had it easy in the past 10 years, as it came under crushing price compression with managed care driven networks and other price cutting middlemen that have often been owned or controlled by insurance companies. Addiction treatment providers in the pure behavioral health space were “saved” from all this till about three years ago because they were out of network and not the focus of insurer driven price cuts. As payors (and their price cut incentivized middle men) looked for more ways to drive up profits, the competitive and disorganized addiction treatment sector became a natural (and unprepared) sector to hit. And they hit it hard! Clearly, the Perfect Storm. Addiction treatment providers now have no option but to learn to swim hard and fast in the ever changing river of the healthcare business industry.
Concepts that drive sober home relationships like Anti-Kickback Statute, Patient Brokering Act and Safe Harbor have become ingrained in the minds of nearly every addiction treatment provider’s thought process, especially in Florida with the development of the Sober Home Task Force. Providers now seem to fully embrace ideas like–
There’s a federal law (the Anti-Kickback Statute, the “AKS”) that can bring criminal liability for marketing done incorrectly;
There’s a state law, the Florida Patient Brokering Act (“PBA”), that can do the same;
Complying with the federal safe harbors and the bona fide employee exception is important, even when there are no state or federal healthcare program dollars involved;
Paying anyone for marketing, not just on a commission based sales model, without fully appreciate the applicable laws is dangerous, costly and invites criminal inquiries and liability; and
Achieving compliance with applicable federal law should be part of any recovery business’ overall compliance plan.
Recovery providers must become familiar with not only the AKS and state restrictions like the PBA, but also the law’s permitted examples, so called “Safe Harbors,” which specify specifically permitted arrangements (42 CFR 1001.952). The “personal services arrangement and management contract” Safe Harbor, for instance, has particular application in the area of marketing, as does the AKS exception for “bona fide employment arrangements,” which apply to “bona fide” W-2 employees (entailing direction, supervision and control), but not independent contractor relationships.
Health law is the federal, state, and local law, rules, regulations and other jurisprudence among providers, payers and vendors to the healthcare industry and its patient and delivery of health care services; all with an emphasis on operations, regulatory and transactional legal issues.