OIG released our General Compliance Program Guidance (GCPG). The GCPG is a reference guide for the health care compliance community and other health care stakeholders. The GCPG provides information about relevant Federal laws, compliance program infrastructure, OIG resources, and other items useful for understanding health care compliance. The GCPG is voluntary guidance that discusses general compliance risks and compliance programs. The GCPG is not binding on any individual or entity. Download the guide in whole or access individual sections.
Category: Alert
This is a common tale. It seems like most of my time is spent explaining to clients why you cannot pay marketers a percentage of the revenue derived from patients they refer to them. Press Release from Texas Attorney General:
Griffin obtained patients by offering and paying kickbacks to marketers as well as disguising illegal payments as marketing services and outsourced business services. Griffin then submitted false claims to both Medicaid and Medicare for orthopedic equipment that was never provided, not medically necessary, and not authorized by a physician.
HHS Office of Civil Rights is requiring all healthcare providers to use HIPAA-compliant telehealth platforms by Aug. 10. When the Public Health Emergency ended in May, CMS provided a transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth.
The transition period will expire at 11:59 p.m. on August 9, 2023.
Per CMS, the list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.
- Skype for Business / Microsoft Teams
- Updox
- VSee
- Zoom for Healthcare
- Doxy.me
- Google G Suite Hangouts Meet
- Cisco Webex Meetings / Webex Teams
- Amazon Chime
- GoToMeeting
- Spruce Health Care Messenger
Note: OCR has not reviewed the BAAs offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity. Further, OCR does not endorse any of the applications that allow for video chats listed above.
Also note, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.
CMS is placing newly enrolling hospices located in Arizona, California, Nevada, and Texas in a provisional period of enhanced oversight. Over the last 12 months, we’ve received numerous reports of hospice fraud, waste, and abuse. The number of enrolled hospices has also increased significantly in these states, raising serious concerns about market oversaturation.
“New hospices” include those 1) newly enrolling in the Medicare Program (starting July 13, 2023); 2) submitting a change of ownership (CHOW) that meets all the regulatory requirements under 42 CFR 489.18; and 3) undergoing a 100% ownership change that doesn’t fall under 42 CFR 489.18.
This enhanced oversight can be from 30 days to 1 year.
HHS Health Sector Cybersecurity Coordination Center (HC3) has published a report (PDF) detailing cybersecurity concerns for healthcare providers. In particular, what can be done to remain secure, given AI-enhanced cyberthreats. The report provides an educational overview of regenerative IA, particularly ChatGPT and the difference between machine learning and neural networks.
More importantly, the report discusses how IA can threaten healthcare and ways the healthcare sector can defend against AI-enabled threats.
This was intentional criminal conduct of conspiracy and perjury related to Anti-Kickback Statute violations. From a U.S. Attorney’s Office for the Eastern District of Texas Press Release:
“By facilitating kickbacks, this defendant knowingly enabled theft from Medicare and Medicaid, putting personal profit before legitimate patient needs and ultimately costing taxpayers millions of dollars,” said Jason E. Meadows, Special Agent in Charge at the U.S. Department of Health and Human Services, Office of Inspector General (HHS-OIG). …
According to information presented in court, [Peter J. Bennett] created sham trusts and shell corporations through which he laundered at least $2,724,080.41 in healthcare kickback proceeds. Bennett used his law firm’s Interest on Lawyers Trust Account (IOLTA), operating account, and a personal bank account to launder and transmit the kickback proceeds. The perjury charges arose out of false statements Bennett made in response to interrogatories propounded in Civil Investigative Demands issued by the Department of Justice as part of a False Claims Act (FCA) investigation. Bennett was indicted by a federal grand jury in February 2022.
A website offers users the ability to search for physicians and other health care providers who have paid a fee to be included in the database. The website generates personalized results using a proprietary algorithim. The user can book an appointment with the provider directly through the website.
No fee is charged to the user. However, the providers pay to be listed in the database and pay when a user books an appointment. Providers can also purchase advertisments which are displayed to the users along with the search results.
OIG concluded that:
- although the Arrangement would generate prohibited remuneration under the Federal anti-kickback statute if the requisite intent were present, OIG would not impose administrative sanctions on Requestor in connection with the Arrangement under sections 1128A(a)(7) or 1128(b)(7) of the Act, as those sections relate to the commission of acts described in the Federal anti-kickback statute; and
- although the Arrangement could generate prohibited remuneration under the Beneficiary Inducements CMP, OIG would not impose administrative sanctions on Requestor in connection with the Arrangement under the Beneficiary Inducements CMP or section 1128(b)(7) of the Act, as that section relates to the commission of acts described in the Beneficiary Inducements CMP.
This toolkit provides detailed information on methods to analyze telehealth claims to identify program integrity risks associated with telehealth services. It is based on the methodology that OIG developed for the report Medicare Telehealth Services During the First Year of the Pandemic: Program Integrity Risks , which identified Medicare providers whose billing for telehealth services poses a high risk to Medicare. This toolkit is intended to assist public and private sector partners—such as Medicare Advantage plan sponsors, private health plans, State Medicaid Fraud Control Units, and other Federal health care agencies—in analyzing their own telehealth claims data to assess program integrity risks in their programs.
Source: Toolkit: Analyzing Telehealth Claims to Assess Program Integrity Risks
The Supreme Court preserves access to the abortion pill mifepristone while the appeals play out. The case goes back to the 5th Circuit, where the FDA will pursue a full appeal of Kacsmaryk’s preliminary injunction. The agency and the anti-abortion groups will both have a chance to file briefs, and the case is scheduled to be argued before a three-judge panel on May 17. That appeal process could last months. The losing party could petition for rehearing with all judges of the 5th Circuit, known as en banc rehearing, and ultimately petition the Supreme Court once again. A final resolution could be months or years away.
Source: AP News: Supreme Court preserves access to abortion pill mifepristone
HHS Office of Civil Rights confirmed that that four Notifications of Enforcement Discretion (“Notifications”) will expire upon expiration of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 11, 2023.
OCR’s notice applies to four Notifications of Enforcement Discretion of HIPAA related to the following circumstances:
- COVID-19 Community-Based Testing Sites during the PHE (available here);
- Telehealth Remote Communications during the PHE (available here);
- Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities (available here); and
- Online or Web-Based Scheduling Applications for Scheduling COVID-19 Vaccination Appointments (available here).