Question

Summarize the provisions under HIPAA and the PPACA as they apply to fraud and abuse

Answer 1

Answer

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Kennedy–Kassebaum Act, or Kassebaum–Kennedy Act) consists of 5 Titles.

• Title I: Protects health insurance coverage for workers and their families that change or lose their jobs. It limits new health plans the ability to deny coverage due to a pre-existing condition.

• Title II: Prevents Health Care Fraud and Abuse; Medical Liability Reform; Administrative Simplification that requires the establishment of national standards for electronic health care transactions and national identifiers for providers, employers, and health insurance plans.

• Title III: Guidelines for pre-tax medical spending accounts. It provides changes to health insurance law and deductions for medical insurance.

• Title IV: Guidelines for group health plans. It provides modifications for health coverage.

• Title V: Governs company-owned life insurance policies. Makes provisions for treating people without United States Citizenship and repealed financial institution rule to interest allocation rules.

Function of HIPAA

In passing the law for HIPAA, Congress required the establishment of Federal standards to guarantee electronic protected health information security to ensure confidentiality, integrity, and availability of health information that ensure the protection of individual’s health information while also granting access for health care providers, clearinghouses, and health plans for continued medical care.

• Standards for security were needed because of the growth in exchange of protected health information between covered entities and non-covered entities. These standards guarantee availability, integrity, and confidentiality of e-PHI. Also, there are State laws with strict guidelines that apply and overrules Federal security guidelines.

• The standards mandated in the Federal Security Rule protect individual's health information while permitting appropriate access to that information by health care providers, clearinghouses, and health insurance plans. The Security Rule establishes Federal standards to ensure the availability, confidentiality, and integrity of electronic protected health information. Also, state laws also provide more stringent standards that apply over and above Federal security standards.

• Health care providers, health plans, and business associates have a strong tradition of safeguarding private health information. However, in today’s world, the old system of paper records locked in cabinets is not enough anymore. With information broadly held and transmitted electronically, the rule provides clear national standards for the protection of electronic health information.

Violations of HIPAA

Civil

• For an individual who unknowingly violates HIPAA: $100 fine per violation with annual maximum of $25,000 for those who repeats violation. There is also $50,000 per violation, and an annual maximum of $1.5 million.

• For a violation that is due to reasonable cause and not due to willful neglect: There is $1000 charge per violation, an annual maximum of $100,000 for those who repeatedly violates. There is also $50,000 penalty per violation and an annual maximum of $1.5 million.

• For HIPAA violation due to willful neglect, with violation corrected within the required time period. There is $10,000 penalty per violation, an annual maximum of $250,000 for repeat violations. There is $50,000 penalty per violation with an annual maximum of $1.5 million.

• For HIPAA violation due to willful neglect and not corrected. There is a penalty of $50,000 per violation, an annual maximum of $1,000,000, $50,000 per violation, and an annual maximum of $1.5 million.

Criminal

• For entities that are covered and specified individuals who obtain or disclose individually identifiable health information willfully and knowingly: The penalty is up to $50,000 and imprisonment up to 1 year.

• For offenses committed under false pretenses, the penalty is up to $100,000 with imprisonment up to 5 years.

• For offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the penalty is up to $250,000 with imprisonment up to 10 years.

The US Department of Health and Human Services Office for Civil Rights has received over 100,000 complaints of HIPAA violations, many resulting in civil and criminal prosecution.

Summary of Fraud and Abuse Provisions of the Patient Protection and Affordable Care Act

The Patient Protection and Affordable Care Act ("PPACA"), signed into law on March 23, 2010, contains many provisions that address fraud and abuse issues. The following is a brief synopsis of some of the major fraud and abuse law changes. (Stark Law Changes).

Establishment of Medicare Self-Referral Disclosure Protocol

Section 6409 of the PPACA primarily requires that the Secretary of HHS, in cooperation with the HHS Office of Inspector General (“OIG”), establish a self-referral disclosure protocol to permit providers and suppliers to voluntarily disclose potential Stark Law violations. The protocol must, at a minimum, set forth the contact person/office to whom disclosure may be made and the impact of the protocol on corporate integrity agreements/corporate compliance agreements. The Secretary must enact the protocol within six months of enactment of the PPACA and have the new protocol published on the CMS website.

Section 6409 of the PPACA also grants the Secretary of HHS the authority to reduce amounts owed for violations of the Stark Law. The Secretary may consider the following factors in assessing the amount owed for a Stark Law violation:

• Nature and extent of impermissible practice

• Timeliness of self-disclosure

• Cooperation in providing additional information related to the disclosure

• Other factors that the Secretary considers appropriate

Anti-Kickback Statute Changes

Lowered Criminal Intent Standard

Section 6402(f) of the PPACA clarifies that, for purposes of Anti-Kickback Statute violations, “a person need not have actual knowledge of [the Anti-Kickback Statute] or specific intent to commit a violation of [the Anti-Kickback Statute].”

Prior to the PPACA, the intent requirement under the Anti-Kickback Statute was unclear, with some courts requiring knowledge of the statute and specific intent to violate it. Ultimately, this revision clarifies that specific intent is not required to prove an Anti-Kickback Statute violation, lowering the government’s prosecutorial burden.

Violation Triggers False Claims Act

Section 6402(f) of the PPACA also clarifies that a violation of the Anti-Kickback Statute can also result in a violation of the False Claims Act. Specifically, items or services resulting from a violation of the Anti-Kickback Statute constitute a false or fraudulent claim for purposes of the False Claims Act.

Prior to the PPACA, most courts required some nexus between an Anti-Kickback Statute violation and the government’s decision to pay a claim (e.g., condition of payment) in order for the violation to be used as the basis for a False Claims Act violation. Under the amended language, the government or a whistleblower could potentially bring a False Claims Act claim by demonstrating that the defendant knowingly submitted a claim to the government for items or services that involved an underlying Anti-Kickback Statute violation.

Violation a Federal Health Care Offense

Section 10606 of the PPACA provides that a violation of the Anti-Kickback Statute is a “federal health care offense.” Federal health care offenses are subject to certain procedures for investigation, freezing of assets, injunctions and sentencing of parties suspected of committing such an offense. As a result, healthcare practitioners suspected or convicted of violating the Anti-Kickback Statute could face increased scrutiny, more detailed and onerous investigations and stiffer penalties.

False Claims Act Changes

Changes in Requirements/Definitions

Section 10104(j) of the PPACA makes various amendments to provisions under the False Claims Act, which amendments, as a whole, make it easier for qui tam relators to initiate and sustain actions under the False Claims Act.

First, this section now requires courts to dismiss qui tam actions “if substantially the same allegations or transactions as alleged in the action or claim were publicly disclosed” through specified forums, except in situations where the qui tam relator is an “original source” or where opposed by the government. Before the PPACA, the law completely cut off the court’s jurisdiction to hear such claims (unless the “original source” exception applied) and did not allow the government to oppose the dismissal.

Second, the amendment limits public disclosure to only include disclosure through federal investigations, reports, audits, hearings and proceedings and through the news media. Formerly, public disclosure also included state proceedings. This change limits the situations in which a False Claims Act defendant can assert the public disclosure defense.

Third, the amendment expands the definition of “original source” to include persons who: (i) voluntarily disclosed to the government “the information on which allegations or transactions in a claim are based” prior to the public disclosure; or (ii) have knowledge independent of and that “materially adds to the publicly disclosed allegations or transactions” and have voluntarily provided such information to the government before filing an action. This amendment will allow more qui tam relators to argue that the public disclosure defense is inapplicable to them.

Applicability to Health Insurance Exchange Payments

As you know, the PPACA seeks to create Health Insurance Exchanges to provide additional health insurance coverage options to the American public. As a result, Section 1313(a)(6) of the PPACA specifically states that “[p]ayments made by, through, or in connection with an Exchange are subject to the False Claims Act . . . if those payments include any Federal funds.”

Other Fraud and Abuse Enforcement Changes

Disclosure/Repayment Requirements for Overpayments

Section 6402(a) of the PPACA now expressly requires healthcare providers, suppliers or other applicable entities to promptly report and return Medicare and Medicaid overpayments. “Overpayment” is defined broadly to include any funds retained or received under the Medicare and Medicaid programs to which the entity or individual is not actually entitled. Moreover, the party returning the overpayment must also provide an explanation of the reason for the overpayment. The deadline for returning and reporting overpayments is the later of 60 days from the date the overpayment was identified or, if applicable, the date any corresponding cost report is due. Determining when the 60-day period begins to run may be difficult in practice because the statute does not define when a provider or supplier has “identified” an overpayment; is it when an overpayment is discovered or when the amount of the overpayment has been quantified to a reasonable certainty? Arguably, it would be difficult to make repayment of an overpayment if the amount has not been determined.

This section also states that any overpayment not returned by the applicable deadline is considered an “obligation” under the False Claims Act. Therefore, a party retaining the overpayment past the deadline could face liability under the False Claims Act. In addition, Section 6402(d)(2) of the PPACA imposes a civil monetary penalty on a party who knows of an overpayment and does not return it in accordance with the above described requirements. Finally, Section 6502(d)(1) of the PPACA permits applicable state agencies to exclude from participation in the Medicaid program, providers with unpaid overpayments.

Changes to Civil Monetary Penalties Law

The PPACA makes multiple changes to the civil monetary penalties law. Primarily, Section 6402(d)(2) and Section 6408(a) add several new violations for which the HHS Secretary may impose civil monetary penalties. The following is a list of some new violations implicating civil monetary penalties and the amount of the fine attributed to each violation:

• Ordering or prescribing a medical or other item or service while excluded from a Federal health care program – Up to $50,000 per prohibited order or prescription

• Knowingly making or causing to be made any false statement, omission, or misrepresentation on any application, bid, or contract to participate/enroll as a provider or supplier under a Federal health care program – Up to $50,000 per false statement, omission, or misrepresentation

• Failing to grant timely access to the HHS OIG for the purpose of audits, investigations, evaluations, or other statutory functions – Up to $15,000 per day delayed

• Knowingly making, using, or causing to be made or used, a false record or statement material to a false or fraudulent claim for payment for items and services furnished under a Federal health care program – Up to $50,000 per false record or statement

Lowered Intent Standard for Health Care Fraud

Similar to the revision of the Anti-Kickback Statute, Section 10606(b) of the PPACA clarifies that “a person need not have actual knowledge of [the health care fraud prohibition] or specific intent to commit a violation of [the health care fraud prohibition]” in order to commit “health care fraud.” This lowered intent standard will make it easier for the government to prove health care fraud, as established by HIPAA and defined in 18 U.S.C. § 1347.

Sentencing Enhancements for Federal Health Care Offenses

Section 10606 of the PPACA provides for various enhancements to the Federal Sentencing Guidelines for health care related offenses. Among other things, this section requires that the United States Sentencing Commission amend the Federal Sentencing Guidelines regarding Federal health care offenses “to provide that the aggregate dollar amount of fraudulent bills submitted to the Government health care program shall constitute prima facie evidence of the amount of the intended loss by the defendant.”

Furthermore, the section requires the Commission to adopt the following sentence enhancements for Federal health care offenses based on the amount of loss:

• 2-level increase in offense level if the loss is between $1 million and $7 million

• 3-level increase in offense level if the loss is between $7 million and $20 million

• 4-level increase in offense level if the loss equals or exceeds $20 million