Weekly Health Care Criminal and Civil Fraud Enforcement Round-Up
The following highlights notable health care fraud and abuse news, settlements and enforcement actions from the previous week.
- Nursing Home Pharmacy, Omnicare, Inc., to Pay $28.125 Million to Resolve Kickback Allegations. Today, the Department of Justice (“DOJ”) announced that the nation’s largest nursing home pharmacy, Omnicare Inc., has agreed to pay $28.125 million to resolve allegations that it solicited and received kickbacks from Abbott Laboratories (“Abbott”) in exchange for recommending that physicians prescribe Depakote, an anti-epileptic drug manufactured by Abbott, to elderly nursing home residents. CVS Health Corporation acquired Omnicare in 2015, approximately six years after Omnicare ended the conduct that gave rise to today’s settlement. The DOJ reports that as part of today’s settlement, a former Abbott employee whistleblower will receive $3 million from the settlement amount. This settlement comes after Abbott’s $1.5 billion settlement in 2012 to resolve civil and criminal liability under the False Claims Act relating to claims that it paid kickbacks to nursing home pharmacies, including Omnicare and PharMerica Corp. In October 2015, PharMerica agreed to pay $9.25 million to resolve civil liability for the alleged kickbacks from Abbott.
- Skilled Nursing Facility Operator and Director to Pay $2.5 Million to Resolve Inflated Medicare Claims Allegations. On October 13, 2016, the DOJ announced, that skilled nursing facility operator Whittier Health Network, Inc., and its Director of Long Term Care have agreed to pay $2.5 million to resolve allegations concerning inflated Medicare claims. The government alleged that the nursing facilities submitted bills for therapy that did not occur as reported and that the company’s therapists routinely reported therapy time using estimates that were rounded up from the actual minutes of therapy provided, despite Medicare rules specifically prohibiting rounding. This settlement continues the DOJs trend of investigating inflated Medicare billing at skilled nursing facilities.
Transition to Value-Based Reimbursement Continues as CMS Releases MACRA Final Rule
On Friday, October 14, the Centers for Medicare & Medicaid Services (“CMS”) released a nearly 2,400-page final rule with comment period for the Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”) Quality Payment Program — a landmark Medicare clinician payment system that replaces the sustainable growth rate methodology for physician fee-schedule updates with a value and outcomes based reimbursement system. In a press release, CMS indicated that the final rule was informed by a months-long listening tour with nearly 100,000 attendees and nearly 4,000 public comments. CMS acknowledged that it expects the Quality Payment Program to evolve over multiple years with additional input from physicians, patients and others. To that end, CMS issued the final rule with an additional 60-day comment period.
The MACRA Quality Payment Program:
- Applies to physicians, physician assistants, nurse practitioners, clinical nurse specialists, and certified registered nurse anesthetists that bill more than $30,000 to Medicare and provide care to more than 100 Medicare patients per year.
- Begins as soon as January 1, 2017 for those clinicians that are ready to start collecting performance data, or as late as October 2, 2017.
- Will change clinicians’ Medicare reimbursement payments positively or negatively based on program performance. Performance payment adjustments will go into effect on January 1, 2019. Clinicians that don’t send in any 2017 data will receive a negative 4% Medicare payment adjustment.
- Includes two tracks for clinician participation: (1) the Advanced Alternative Payment Models track (“Advanced APMs”), or (2) the Merit-Based Incentive Payment System track (“MIPs”). Clinicians participating in a qualifying innovative care model (an Advanced APM) may earn a Medicare incentive payment for such participation. Clinicians that chose not to participate in an Advanced APM, will participate in the MIPs track, where their traditional Medicare payments will be adjusted based on certain performance measures.
- Will dictate which alternative payment models will qualify as Advanced APMs. CMS currently anticipates that the following payment models will qualify as an Advanced APM in 2017: (1) the Comprehensive ESRD Care Two-Sided Risk program, (2) the Comprehensive Primary Care Plus program, (3) the Next Generation ACO program, and (4) the Medicare Shared Savings Program Tracks 2 and 3. Some industry stakeholders are particularly disappointed that CMS’s narrow definition of Advanced APMs will fail to reward many physician practices for their non-qualifying care transformation efforts. CMS acknowledges that this list may change based on stakeholder inputs and that it intends to publish a final list of qualifying Advanced APMs by the end of the year.
While many industry stakeholders, including the American Medical Association, reacted positively to the regulation, the impact of a 2,400-page regulation on physician practices will need to be monitored. For more information, interested parties can visit the interactive Quality Payment Program website, which CMS rolled-out simultaneously with the final rule last Friday.
HHS Publishes Guidance on HIPAA and Cloud Computing
The U.S. Department of Health & Human Services (“HHS”) recently published guidance on its website regarding HIPAA and cloud computing. The guidance presents key questions and answers to assist HIPAA-regulated cloud service providers (“CSPs”) and their customers in understanding their responsibilities under the HIPAA rules when they create, receive, maintain or transmit electronic protected health information (“ePHI”) using cloud products and services.
As expected by many in the industry, the guidance affirms that HIPAA covered entities (or their business associates) can take advantage of cloud computing while complying with HIPAA regulations protecting the privacy and security of ePHI so long as the covered entity or business associate enters into a HIPAA-compliant business associate agreement with the CSP. HHS cautions, however, that “a covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies…” HHS also clarifies that a CSP storing or maintaining encrypted ePHI on behalf of a covered entity or a business associate is itself a business associate even when the CSP does not have access to the decryption key and cannot actually view the ePHI. Notably, the guidance also suggests that Covered Entities review any service level agreements (“SLAs”) with CSPs, to ensure that the SLA does not limit the ability of the Covered Entity to comply with HIPAA and that the SLA is consistent with the BAA.