Health care compliance programs must be dynamic in order to enhance the effectiveness of the program. Being dynamic requires the compliance professional to be on top of recent government pronouncements and enforcement trends so that they can adjust and fine-tune their programs to incorporate and address developments and trends that impact their organization. This update focuses on key guidance from 2023 from the Department of Health and Human Services (“HHS”), HHS’s Office of the Inspector General (“OIG”), as well as notable enforcement trends. All of these developments can be used to assess compliance programs and incorporate new elements into those programs’ risk assessment process and work plan. Contact any member of our Health Law Section for more information and analysis on the information included in this update. Sit back, get a fresh cup of coffee, and dig in.

The First Wave of New Compliance Guidance from the OIG

Most compliance professionals are familiar with the provider-specific “compliance guidance” published by the OIG in the 1990s and early 2000s in the Federal Register. Earlier in 2023, the OIG announced that it would be refreshing that guidance and, rather than publishing it in the Federal Register, it would be available on the OIG’s website. In November, the OIG published the first of its updated guidance – cleverly titled “General Compliance Program Guidance.” While the title might not be alluring, the new format is eminently more readable and will be an excellent tool for training new compliance professionals. The guidance is one-stop shopping for an overview of health care compliance and includes a summary of federal health care enforcement statutes, the core elements of a compliance program, how to adapt compliance programs for both small and large entities, and a useful section on the OIG resources available for compliance professionals to stay up-to-date on risks facing health care organizations. Stay tuned – the OIG will be releasing updated provider-specific compliance guidance starting in 2024.

Risk Adjustment Enforcement May Trickle Down to Providers

2023 marked the first year that more than half of Medicare beneficiaries are enrolled in Medicare Advantage (“MA”) Plans. With that large spend now being paid to MA plans, it’s not surprising that the DOJ enforcement focus has started to shift to that program.

To date, the enforcement in this area has primarily focused on the Medicare Managed Care Organizations (“MCOs”) and alleged schemes to maximize risk-based reimbursement through falsifying beneficiary diagnosis codes. However, the fight might be coming to providers who are reimbursed by MCO’s under the MA program. Under the MA program, the Centers for Medicare & Medicaid Services (“CMS”) makes monthly payments to MCOs according to a risk adjustment system that depends on the health status of each enrollee, including the enrollee’s diagnosis. MCOs have a variety of methods of reimbursing the providers for the health care services rendered to the MCO participants but, in some cases, providers receive incentive payments based on the MCO’s reimbursement from CMS. As a result, the providers receiving these incentive payments are potentially incentivized to categorize enrollees in a higher risk category to increase reimbursement.

In a complaint filed against Sutter Health, the DOJ claimed that Sutter Health embarked on a campaign to submit diagnosis codes that increased both the reimbursement received by the MCOs and, as a result, the reimbursement received by Sutter Health.¹ Sutter Health eventually settled those allegations for $90 million. Reflecting the ongoing focus on risk adjustment-based reimbursement, CMS finalized rules in early 2023 for risk adjustment audits² and, in October 2023, the DOJ announced criminal charges against MCO executives related to risk-based reimbursement.³

Financial Arrangements with Providers are Still High Risk

Enforcement of the Anti-Kickback Statute (“AKS”) remains an active area. In particular, we are seeing substantial enforcement related to management service organizations – or MSOs – that operate health care entities. MSOs are often formed as a vehicle to provide management services to health care providers and have become a common practice in light of the interest of private equity in the health care industry and the prohibition in most states against the ownership of health care entities by individuals or entities not licensed to practice medicine. When an MSO is formed, the MSO will have a financial relationship with the health care providers in the related health care entity, either through an agreement to provide services to the organization or by offering an ownership interest in the MSO to the health care providers. The enforcement authorities are now heavily targeting these financial relationships between the MSO and the health care providers under the AKS.

For example, the Department of Justice intervened in a whistleblower case that examined the relationship between an MSO and related health care providers in the context of referrals for laboratory services.⁴ The case alleged a scheme between a laboratory company, executives and employees of the laboratory company, a rural hospital, and two executives from the hospital to create an MSO that recruited patients to have the laboratory testing performed at the hospital. The MSO offered investment interests in the MSO to physicians who referred patients to the hospital for testing and the government alleged that these investment interests were in fact kickbacks for the referred testing. This case is ongoing but there were a number of settlements announced by the DOJ in the past year which involved allegations of kickbacks to health care providers disguised as investment interests in MSOs.

Health care entities contemplating forming or entering into an MSO should work with experienced health care counsel to evaluate these arrangements for compliance with the Anti-Kickback Statute and the Stark Law.

Cyber Security

While much of the technology news in 2023 focused on artificial intelligence, the cybersecurity threats continued. In fact, the Office of Civil Rights for the Department of Health and Human Services (“OCR”) imposed its first civil monetary penalty (“CMP”) for a data breach precipitated by a phishing attack against a provider.⁵ The penalty was leveled against a medical group that self-reported a data breach in which an unauthorized actor gained access to an email account of an employee and was then able to access the protected health data of nearly 35,000 patients of the medical group. Importantly, the CMP imposed was supported by the findings that the medical group had failed to conduct a risk analysis to identify potential threats as required by HIPAA and had no policies and procedures in place to regularly review IT system activity to safeguard PHI against cyberattacks. Recent CMPs have repeatedly cited the provider’s failure to conduct required risk assessments as a basis for the fine. The medical group agreed to pay a $480,000 CMP and implement a corrective action plan.

OIG Advisory Opinions

It was a busy year for the OIG branch that issues advisory opinions: 15 were issued in 2023. The following four summaries of this year’s opinions are particularly applicable to the provider community.

Online Health Care Directory – Advisory opinion 23-04: The OIG issued a favorable opinion regarding an online health market place that was available to both private insurance participants and to Medicare and Medicaid beneficiaries. The directory allows users to search for and book appointments with the participating providers paying fees for bookings and having the option to pay for sponsored ads. The opinion notes that the fees for each booking are set in advance based on valuations by an independent, third-party valuation firm and do not depend on the user’s insurance. While the arrangement implicates the AKS, the arrangement was deemed acceptable due to features of the arrangement including that it provided for transparency, fees based on fair market value, and search results that were displayed consistent with the individual user needs.

Surgeon-Owned Interoperative Entity – Advisory Opinion 23-05: In an unfavorable opinion, the OIG rejected a plan to allow surgeons to invest in an entity that provides intraoperative neuromonitoring (IONM) services. The requestor of the opinion currently provides both the technical and professional component of IONM to both hospitals and ambulatory surgery centers. Under the proposed arrangement, the requestor would assist with establishing a new entity to provide these services and allow surgeons that utilize these services to invest in the new entity. The requester represented that it would attempt to restrict the physicians from referring federal health care program beneficiaries to the new surgeon-owned entity but that it would be difficult to enforce. The OIG found that the arrangement implicated the AKS and presented a significant risk of fraud and abuse. The OIG found that the Proposed Arrangement would enable the parties to do indirectly what they could not do directly – pay the surgeon owners a share of the profits from their referrals for IONM services that could be reimbursable by a federal health care program. In issuing the ruling, the OIG referenced again its long-standing concerns over joint ventures discussed in its 1989 Special Fraud Alert.

Arrangements Between Pathology Laboratories – Advisory Opinion 23-06: In another unfavorable opinion, the OIG reviewed a pathology lab's proposal to outsource a component of a test they could perform in-house, despite having the necessary capabilities. Under the proposed arrangement, certain laboratories (some owned by physicians) would perform and receive payment for the technical component, while the requestor—which has contracts with third-party payors allowing it to bill for anatomic pathology services—would perform the professional portion and bill payors for both components of the service. Although the arrangement carved out federal health care program business, the OIG rejected the arrangement because the remuneration paid from requestor to physician-owned laboratories may increase the likelihood that these entities or their affiliated physicians would order services from requestors that are billable to federal health care programs. Consequently, the OIG deemed the arrangement high-risk and potentially generating illegal remuneration under the AKS.

Profit-Based Bonus Plan for Physician Employees – Advisory Opinion 23-07: In a favorable opinion, the OIG issue a green light to a multi-specialty physician practice's proposal to reward its employed physicians with bonuses tied to the financial performance of specific procedures performed by the physician. The proposed bonus equaled 30% of the net profits from the facility fees generated by the physician's procedures at the practice's own ambulatory surgery centers. Several key factors were cited in this favorable opinion. First, the requester certified that the physicians were bona fide employees according to IRS definitions, ensuring their bonuses were considered legitimate compensation for services rendered. Additionally, the bonus structure fell within the scope of both the statutory exception and safe harbor provision for employee compensation within the AKS. However, the OIG's green light was contingent on the arrangement being implemented precisely as described and noted that similar incentives for independent contractors or involving different corporate structures could trigger AKS concerns.

Having a compliance plan alone is insufficient to protect an organization. The DOJ and the OIG have made clear that the government does not consider a compliance program to be truly effective unless that compliance program evolves in response to the current enforcement climate and known risks.

¹ U.S. ex rel. Ormsby v. Sutter Health, et al., Case No. C 15-01062 (N.D. Ca.), Docket No. 41.
² https://www.cms.gov/newsroom/fact-sheets/medicare-advantage-risk-adjustment-data-validation-final-rule-cms-4185-f2-fact-sheet
³ https://www.justice.gov/opa/pr/former-executive-medicare-advantage-organization-charged-multimillion-dollar-medicare-fraud
⁴ U.S. ex rel. STF, LLC v. Christopher Grottenhaller, et al. 4:16 – cv – 00547 (E.D. Texas).
⁵ https://www.hhs.gov/about/news/2023/12/07/hhs-office-for-civil-rights-settles-first-ever-phishing-cyber-attack-investigation.html