While it's impossible to predict what government enforcement officials are currently working on, the trends from 2018 provide strong guidance for planning compliance efforts in 2019. In fact, 2018 was another busy year for the Department of Justice (the DOJ) and the Office of the Inspector General for Health and Human Services (the OIG). The following are some notable enforcement trends that may be helpful in planning your 2019 compliance initiatives.

Anti-Kickback and Physician Self-Referral Law Enforcement

One of the most notable trends in the last several years is the prevalence of False Claims Act cases premised on physician compensation relationships that are alleged to violate the Physician Self-Referral Law (Stark) and/or the Anti-Kickback Statute (the AKS). Here is a summary of a few exemplary cases that were resolved in 2018:

• The University of Pittsburgh Medical Center Hamot was alleged to have entered into medical director or administrative services contracts with twelve physicians that violated both Stark and the AKS. The government contended that there was no legitimate need for the agreements because the services were either not performed or were duplicative in that they were already being provided by other physicians who were not being paid. The case was resolved for $20.75 million.

• Montana-based Kalispell Regional Healthcare System (KRH) was alleged to have paid excessive full-time compensation to 60 specialists, many of whom worked less than full-time, to induce referrals. In addition, a subsidiary of KRH allegedly provided administrative services at below fair market value to a hospital joint venture owned by both the KRH subsidiary and an affiliated physician group in order to reduce expenses and increase the profits for the physician investors as a means of inducing referrals. The whistleblower was the CFO of the physicians' network for the health system. The allegations were resolved for $24 million.

• Detroit's William Beaumont Hospital paid $85.5 million to resolve the allegations made by four whistleblowers that Beaumont paid compensation substantially in excess of fair market value to physicians and provided office space and employees at below fair market value to physician groups. Specifically, the allegations made by the whistleblowers included:

  • Full-time salaried cardiologists were paid in excess of fair market value as evidenced by the fact that they also continued to maintain separate private practices from which they retained the compensation;

  • The hospital provided office space and leased employees to the physicians' practices at less than fair market value; and

  • 56 salaried medical directorships and other leadership positions had no job descriptions, no performance standards, no metrics, and no recorded evidence of any activities in exchange for the payment and were above fair market value. Some physicians in these positions also maintained full-time private practices.

The settlement also resolved claims that Beaumont allegedly misrepresented that a CT radiology center qualified as an outpatient department of Beaumont.

False Claims Enforcement Related to Medical Necessity

Cases involving medically unnecessary services continue to be a significant focus for the DOJ. Importantly, the legal community awaits a long-pending decision by the 11th Circuit Court of Appeals that may impact the government's ability to bring FCA cases based on a lack of medical necessity. In U.S. ex rel. Paradise vs. AseraCare (Docket No. 16-13004), the trial judge found that the government could not bring FCA claims against a hospice provider for medically unnecessary services. The judge reasoned that, because determinations of medical necessity are subjective medical determinations, the government's expert testimony that patients were not terminally ill (and, therefore, the services were not medically necessary) was insufficient to establish that the claims were false. The government argued that determining the falsity of hospice claims does not rest simply on two conflicting expert opinions on subjective medical determinations. Rather, the government contended that the expert testimony goes to the more objective determination of whether the medical records contained clinical information and documentation to support the patient's terminal prognosis.

Despite the pending 11th Circuit decision, several significant FCA cases based on medically unnecessary services were resolved in 2018. A key theme in several of these cases was that, when there was a vendor or supplier providing the services in a hospital or skilled nursing facility, the government pursued both entities for submitting false claims or causing false claims to be submitted. Therefore, effective compliance programs must monitor the medical necessity of services provided by any vendor or supplier. The following are several representative examples of resolutions involving medically unnecessary services:

• Two cases were resolved in which the government contended that the hospitals billed Medicare for medically unnecessary inpatient stays, when less expensive outpatient or observation care could have been provided. Banner Health settled for $18 million and Prime Healthcare Services settled for $65 million.

• Healogics settled allegations that it caused the submission of claims for medically unnecessary hyperbaric oxygen (HBO) therapy. Healogics managed hospital-based wound clinics and was alleged to have caused those clinics to submit claims for medically unnecessary HBO therapy. The case settled for $22.5 million. In addition, the OIG issued an audit report (A-01-15-00515) in 2018 concerning medically unnecessary HBO therapy. Medicare only pays for HBO therapy for diabetic patients that meet certain coverage criteria. The OIG audit found that a significant portion of HBO claims it analyzed were not supported by sufficient documentation that the beneficiary met the coverage criteria for diabetic patients.

• The government continues to aggressively pursue medically unnecessary rehabilitation services provided by long term care facilities. Signature HealthCARE paid $30 million to resolve allegations of medically unnecessary rehabilitation claims caused by presumptively placing patients in the highest therapy reimbursement category rather than individually evaluating patients to determine the level of need and by pressuring therapists to complete planned therapy minutes even when the patients were ill or declined treatment. Similarly, Southern SNF Management, Rehab Services in Motion, and several skilled nursing facilities where they provided therapy services, paid $10 million to resolve allegations related to medically unnecessary therapy.

• A post-acute medical management company and four hospitals paid $1.7 million to resolve allegations that they provided medically unnecessary intensive outpatient psychotherapy to patients.

Opioid-Related Enforcement

Opioid-related enforcement continues to be a major focus of DOJ. Most states now have an opioid task force that includes the DOJ and federal and local law enforcement. The DOJ's 2018 national "health care fraud takedown" announced a significant number of opioid enforcement matters. Most of these were criminal "pill mill" type cases focused on providers unlawfully distributing of controlled substances, including opioids. As part of the takedown, the U.S. Attorney's Office for the Eastern District of Wisconsin announced the indictment of an advanced nurse practitioner and several other individuals related to a cash-only pain clinic for conspiring to distribute oxycodone and methadone outside of professional medical practice and not for legitimate medical purposes.

The DEA continues to be a significant player in opioid enforcement related to institutional providers. In August, the DEA announced a $4.3 million civil settlement with the University of Michigan Health System primarily related to violations of the Controlled Substances Act's (CSA) record-keeping requirement. After the opioid overdoses of two UMHS providers (one of which was fatal), the DEA conducted an investigation and concluded that a number of the hospital's practices concerning controlled substances were in violation of the CSA. For example, UMHS failed to secure DEA registrations for 15 off-site ambulatory care locations, each of which received narcotics from the main hospital's pharmacy and dispensed them to patients. The DEA also determined that UMHS failed to maintain complete and accurate records of certain controlled substances that it received, sold, delivered or otherwise disposed of, and failed to notify the DEA in a timely manner regarding certain instances of thefts or significant losses of controlled substances. It is note-worthy that the DEA has had a number of significant settlements in recent years related to providers failing to timely notify it of thefts or losses of controlled substances.

The Department of Health and Human Services (HHS) is also adding to the conversation of opioid related enforcement. In June, HHS's Office of Evaluations and Inspections (OEI) issued a data brief concerning opioid use in Medicare Part D that ultimately focused on prescribers who issued an aberrant number of opioid prescriptions. OEI identified Medicare Part D beneficiaries receiving large numbers of opioid prescriptions and then drilled down to the prescribers issuing those prescriptions. The report concluded that, based on the data analyzed, there were 282 prescribers that stood out for questionable prescribing. The report specifically identified providers who ordered opioids for a high number of beneficiaries with non-cancer diagnoses who were receiving "extreme" amounts of opioids and those providers who wrote prescriptions for beneficiaries that the data showed the patient was likely doctor-shopping. It is likely that the OIG is looking further into the providers identified by OEI's data analysis.

Yates Memo Revisions

After the change in administrations, there was a lot of buzz about comments from DOJ officials that the Yates Memo (officially, the "Memorandum on Individual Accountability for Wrongdoing") was being "reviewed." Recently, Deputy Attorney General Rod Rosenstein announced the results of that review but the changes are likely to be considered only minor adjustments or clarifications, rather than the hoped-for large-scale revisions. For criminal liability, the revisions clarify that companies seeking cooperation credit must identify every individual who was substantially involved in or responsible for any criminal conduct, rather than every employee involved regardless of relative culpability. Further, the revisions to the policy for civil cases recognizes that civil cases primarily target the recovery of funds and that pursuing all employees involved in wrong-doing may not be an efficient use of resources. As a result, the new policy makes clear that cooperation in a civil case is not an "all or nothing" proposition and that a company that identifies senior management but not lower level employees involved in wrongful conduct may qualify for at least partial cooperation credit.

HIPAA Enforcement

The penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) continue to stiffen. While providers for many years were focused on implementing HIPAA policies and procedures, the enforcement trends suggest the growing importance of rigorous audits and enforcement of those policies. The following are representative examples:

• University of Texas MD Anderson Cancer Center (MD Anderson) was found to have violated HIPAA's Privacy and Security Rules by an administrative law judge and ordered to pay $4,348,000 in civil money penalties. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop of an MD Anderson employee and the loss of two unencrypted USB drives containing the electronic protected health information (ePHI) of over 33,500 individuals. OCR's investigation found that MD Anderson had written encryption policies as far back as 2006 and that MD Anderson's own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the policies and risk analysis findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 and failed to encrypt its inventory of electronic devices containing ePHI until 2013.

• In February, a physician in Massachusetts pleaded guilty to a misdemeanor count of wrongful disclosure of individually identifiable health information in violation of HIPAA. The physician allowed a pharmaceutical sales representative to access the confidential medical information of patients to identify potential candidates for one of the pharmaceutical company's drugs.

Conclusion

One of the hallmarks of an effective compliance program is to regularly engage in an assessment of the risks faced by the organization. One method of assessing those risks is to be familiar with the recent enforcement trends and evaluate whether those trends apply to the organization. Based on the past year, financial relationships with physicians and the medical necessity of services billed to Medicare and Medicaid are enforcement risk areas and should be considered for incorporation into compliance planning. As noted above, the evaluation of the medical necessity of services should not be limited to those provided internally as the government has sought to impose liability for services provided by external business partners. Moreover, with the ongoing and significant impact of the opioid epidemic on the country, law enforcement will undoubtedly continue to be focused on enforcing the Controlled Substances Act. Finally, while for many years providers have been focused on implementing HIPAA policies and procedures, the enforcement trends suggest that the focus needs to shift to ensuring that those policies and procedures are monitored and enforced to avoid exposure to increasing penalties.