Medicaid enforcement is a hot topic in Health and Human Services and the U.S.
Department of Justice as they jointly issued Health Care Fraud and Abuse Control
("HCFAC") program annual report.
According to the HCFAC report, HHS-OIG investigations
resulted in 849 criminal actions against individuals or entities that engaged
in crimes related to Medicare and Medicaid. HHS-OIG also excluded 3,214
entities, 1,132 of which were due to convictions for crimes related to Medicare
and Medicaid. This robust enforcement is despite the fact that the DOJ and HHS
had $30.6 million sequestered from the HCFAC program in FY 2013. In FY 2013,
the federal government won or negotiated approximately $4.33 billion in
judgments and settlements, resulting in $576 million in federal medicaid money
being transferred to the treasury.
The Top 10 Areas for Medicaid Compliance Focus
The Affordable Care Act provided several additional tools to
assist the government which have changed the landscape for enforcement and
increased the risks providers and suppliers face. These new federal laws overlay
state laws and rules which vary, sometimes widely, by state.
It can sometimes seem difficult to design an effective
Medicaid compliance program given the many potential sources for compliance
requirements and many recent changes. Below we suggest 10 areas which can be a
start in addressing efforts at Medicaid compliance.
DRA Compliance
Effective since Jan. 1, 2013, any entity which receives at
least $5 million annually from a Medicaid state plan must establish written
policies for all employees that provide detailed information about the False
Claims Act and state laws pertaining to civil penalties for false claims and
statements, whistleblower protection laws and the role of these laws in
preventing and detecting fraud, waste and abuse in federal health care
programs.
Some states require that providers and suppliers complete
and submit “Certification of Compliance with the Federal Deficit Reduction Act
of 2005” forms that must be filed with the state to ensure compliance with the
Deficit Reduction Act ("DRA").
In addition to assuring that necessary policies are in
place, providers and suppliers should also be prepared to deal with a labor
force that is more sophisticated about its opportunities for whistleblowing.
Provider Enrollment
For providers and suppliers, the enrollment process must be
viewed as a high-priority, and compilation of supporting documents and the
completion of lengthy enrollment forms, while more than somewhat tedious, must
be assigned to competent personnel under high-level supervision. These
enrollments are currently done separately by each state despite some earlier
commentary from CMS about hopes to consolidate Medicare and Medicaid enrollment
activities.
ACA Section 6401 required Medicaid state plans to enhance
the scrutiny required for prospective provider and supplier program
enrollments.
•States must perform screenings of potential providers and
suppliers. In certain circumstances, states must require criminal background
checks and fingerprint scans.
•States are required to revalidate enrollments at least
every five years.
•States must conduct site visits (pre- and post-enrollment)
for providers who are in the designated categories of high or moderate risk,
and must require providers to agree that CMS, the state and other entities may
conduct unannounced site visits at any time at any and all provider locations.
•States must deny or terminate the enrollment of any
provider that is terminated on or after Jan. 1, 2011, under Title XVIII of
Medicare, under the Medicaid program or Children's Health Insurance Program
("CHIP") of any other state. This means that a sanction by another
Medicaid program, such as an enrollment revocation or termination for cause,
can have a reciprocal effect across all other Medicaid enrollments.
Moratoria on New Enrollments
Companies seeking to expand to new locations or lines of
business should check at an early stage for any federal or state moratoria that
may preclude or delay such a strategy. Under provisions added by the ACA, a
state may impose temporary moratoria to preclude the enrollment of new
providers or impose numerical caps or other limits on such enrollments.
For example, in October 2013, California’s Medi-Cal program
imposed a temporary moratorium on the enrollment of clinical laboratories or
the change or expansion of provider-of-service categories for an already
existing laboratory, subject to certain exemptions.
Application of Stark Law to Medicaid
The federal Stark Law prohibits Medicare payments for claims
reflecting physician self-referrals for certain designated health services, a
relatively simple concept which has been made exceedingly complex by federal
regulations. Federal law further provides that federal Medicaid payments,
called federal financial participation ("FFP"), should not be paid to
a state for services which would be in violation of the Stark Law if payment
were sought under Medicare.
Some recent court cases have reflected allegations that a
provider can violate the federal False Claims Act by submitting Medicaid claims
that would violate the Stark Law if submitted under Medicare and then falsely
certify Medicaid compliance with the knowledge that the certification was
false.
While these theories continue to be challenged, providers
should consider this as a potential business risk when structuring arrangements
involving physicians. State law with similar provisions may also be applicable,
some of which may also apply for commercial payers in addition to Medicaid.
Payment Suspensions Based Upon Credible Allegations of Fraud
For any entity under investigation, the possibility of an
immediate cash flow crisis resulting from a payment suspension must be
considered. Note that some Medicaid programs require a self-report to the
Medicaid agency if a provider discovers it is under investigation.
Section 6402(h) of the ACA, amended by 42 U.S.C. Section
1396b(i)(2), provides payments to a provider or supplier that will be suspended
pending investigation of credible allegations of fraud, and that there will be
no FFP payments in such circumstances if payments are not suspended, unless the
state determines there is good cause not to suspend the payments.
CMS has issued regulations applicable to Medicaid
suspensions at 42 C.F.R. 455.23. "Credible allegation of fraud" is not
defined in the statute, but is defined in 42 C.F.R. 455.2 to include
allegations from such sources as fraud hotline complaints, data-mining claims
and patterns identified through provider audits, civil false claims cases and
law enforcement investigations. Although payment suspensions are temporary, no
maximum period of Medicaid payment suspension is set by these federal
regulations, in contrast to similar provisions applicable to Medicare payment
suspensions.
In its recent FY 2013 MFCU Report, OIG-HHS noted that the
Medicaid payment suspension rules put in place by the ACA have not been fully
implemented by the states. State agencies have expressed difficulty with
determining what constitutes a credible allegation of fraud, with the ability
to make determinations in a timely manner and with what should be the standard
for a “good cause” exception.
HHS-OIG indicates that it has undertaken additional reviews
regarding these payment suspensions. Providers and suppliers should expect
states to become more aggressive in their imposition of suspensions based on
credible allegations of fraud in the near future once the noted challenges are
addressed.
State Specific Provisions
Because each state’s Medicaid program is operated by the
state — subject to certain parameters imposed by CMS — each state will have its
own set of fraud, waste and abuse provisions which its providers and suppliers
must comply with. These requirements are commonly found in statutes,
regulations and provider manuals issued by the state, and often require a
working understanding of state-specific peculiarities to navigate through their
maze-like structure.
In some states, there may be other sources that also set
forth requirements for participation. For example, in California, the Medi-Cal
Provider Agreement, a document signed by the provider as a condition for
participation, or continued participation, in Medi-Cal (i.e., California’s
Medicaid program), sets forth the provider’s agreement to 41 different
provisions.
These include acknowledgment that the provider is subject to
several different types of payment suspensions; the provider’s express
agreement to make available its records for inspection by the state agency,
attorney general and the Secretary of HHS; and the acceptance of various time
limits for submission of updates to its enrollment information.
The compliance challenge for providers and suppliers is to
identify where to find the state requirements and how to keep up with them when
they change.
Excluded Provider Checks
In addition to the federal exclusion lists, exclusion or
termination lists often exist at the state level. For example, in New York, if
the Office of Medicaid Inspector General ("OMIG") finds good reason
that a provider should no longer be eligible to participate, the provider is
placed on a list of excluded providers. In California, Medi-Cal maintains a
list of providers who are “ineligible and suspended.”
Those on a state list will not turn up on the federal list
unless HHS-OIG has taken action to exclude them. Similarly, those who are
terminated from Medicare participation by CMS will not show up on the HHS-OIG
exclusion list.
Some states require that their lists be checked on a monthly
basis. CMS and HHS-OIG have both recommended monthly checks of the HHS-OIG
exclusion lists, but have not made that mandatory.
Medicaid RACs
Section 6411 of the ACA extended Medicare’s highly
successful Recovery Audit Contractor ("RAC") program to the Medi-Cal
program.
CMS required state agencies to enter into contracts with
RACs to identify overpayments and underpayments. The RACs are paid on a
contingent fee basis, just as Medicare RACs — now called “recovery auditors” —
are paid.
In December 2011, CMS issued FAQs which further explained
its expectations for state implementation, including that states were not
required to include managed care claims in the RAC audits as of that time (only
fee-for-service), but might revisit that limitation in the future.
Providers should determine the identified areas for RAC
review and review state-specific coverage and payment rules applicable to such
items and services to assure their claims will be best-positioned so auditors
will allow them.
60-Day Refund Rule
Effective with the ACA’s passage in 2010, Medicare and
Medicaid providers, suppliers and plans are required to report and refund known
overpayments no later then 60 days from the date the overpayment is identified
or the date a corresponding cost report is due, if any. Failure to refund
identified overpayments is grounds for imposition of federal civil monetary
penalties and False Claims Act liability.
The FCA includes provisions which allow whistleblowers to
share generously in the government’s recovery against a provider and, as
discussed above, providers must maintain policies designed to educate their
employees about the FCA to be compliant with the DRA.
Some states, such as New York, have provided comprehensive
guidance as to how providers and suppliers should interpret these provisions
and make necessary refunds.
Even in the absence of specific guidance from a state,
however, the refund statute is in effect and providers and suppliers should
establish policies for promptly identifying, disclosing and refunding any
excess Medicaid payments.
Mandatory Compliance Plans
Prior to the ACA, adoption of compliance programs were
largely voluntary even though the HHS-OIG strongly recommended the adoption of
its compliance plan guidelines for several provider types.
The ACA transformed compliance plans into a requirement for
“provider[s] of medical or other items or services or supplier within a
particular industry sector or category” as a condition of enrollment in
Medicare, Medicaid or CHIP.
HHS, in consultation with the OIG, was tasked with
establishing core elements for the compliance plans for different industry
sectors. These core elements include: (1) written policies and procedures, (2)
compliance officer, compliance committee and high-level oversight, (3)
effective training and education, (4) effective lines of communication, (5)
well-publicized disciplinary standards, (6) effective system for routine
monitoring and auditing and (7) prompt response to compliance issues.
While federal regulations have not yet been issued which
provide further instructions, providers and suppliers should be prepared for
these to be issued. State requirements should also be checked for compliance
requirements. For example, in New York, the OMIG has already provided a
“Compliance Program Review Assessment Form” and also has a form which permits a
New York Medicaid provider to certify that its compliance program
satisfactorily meets the requirements of pertinent state law.
Conclusion
As illustrated by the HHS-OIG and HCFAC reports, Medicaid
enforcement is on the rise. The ACA introduced several new areas that create a
need for providers to focus on Medicaid compliance efforts. Medicaid compliance
will necessitate an understanding of both federal and state requirements.