The COVID-19 crisis creates many new challenges for hospitals and healthcare providers, particularly for those involved in compliance. Foremost is the question of how to respond promptly to slow or stop the spread of COVID-19, but at the same time, ensure that in doing so your organization is operating in a compliant manner. While this challenge is easy to describe, it is far more difficult to achieve in a constantly shifting compliance landscape. Now more than ever, the compliance department needs to be adequately staffed and resourced in order to track, analyze, and respond to compliance challenges.
Like with any crisis, the compliance pitfalls for healthcare are made increasingly prevalent by bad actors seeking to profit from the COVID-19 pandemic. The nation’s top law enforcement officer, Attorney General William Barr, recently issued a statement that the Department of Justice (DOJ) will “prioritize” its enforcement efforts and “use every resource it has available” to detect, investigate, and prosecute fraud arising from the current crisis.1
There is certainly an expectation by law enforcement that an organization’s ethical standards and commitment to compliance must be adhered to, despite new demands. Thus, compliance professionals should remain vigilant to keep the organization informed and focus on complying with the laws and regulations in their respective areas.
We are already seeing a limited number of prosecutions and enforcement actions relating to COVID-19. By taking appropriate steps now, an organization may avoid such scrutiny by authorities later. History shows there tends to be an uptick in fraud and abuse investigations following responses to natural disasters and other emergencies. This update provides a summary of some of the key challenges that every healthcare compliance professional needs to consider in light of the COVID-19 crisis.
What exactly is COVID-19 fraud? The DOJ has listed these as examples of possible schemes related to COVID-19:
- Price gouging when buying or selling personal protective equipment (PPE) such as masks, gowns, or gloves;
- Marketing and selling fake testing kits or cures;
- Phishing e-mails from entities claiming to be the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), or a local health care facility;
- Malicious websites and apps that target with ransomware under the guise of providing COVID-19 information or advice; and
- Improperly obtaining patient information for COVID-19 testing and then using that information to fraudulently bill for other tests and procedures.2
The DOJ has asked for the public’s cooperation and assistance by reporting suspected COVID-19 fraud. A national hotline for victims of suspected COVID-19 fraud has been established. The DOJ also directed all 94 United States Attorney’s Offices to designate special fraud coordinators to handle COVID-19 fraud investigations and prosecutions. Additionally, the DOJ has pursued several enforcement actions related to COVID-19 fraud and numerous nationwide investigations are ongoing.
Law enforcement is clearly focused on price gouging and the hoarding of medical equipment such as ventilators or N95 respirator masks used by health care workers. During times of national or state emergencies, certain laws are automatically triggered that can protect hospitals and health care facilities from price gouging by suppliers. For example, some states have measures that prohibit “excessive pricing” or price increases for goods and supplies by more than 20% during an emergency.
Compliance officers and other top-level managers must be vigilant to protect their organizations against those who are trying to exploit the current crisis for financial gain by staying abreast of developments and keeping others informed. To be effective, compliance must be integrated with other functions of the organization such as IT, procurement, and vendor contracts. As schemes appear to be changing quickly, compliance can provide training on how to identify or detect fraud or counterfeit goods. Compliance should also have a documented plan in place on how to respond internally and/or report externally suspected wrongdoing. Performing even a basic background check on new or unknown suppliers may save your organization time and money in the long run. This is not the time to relax or disregard adherence to established compliance policies and procedures.
Waivers and Expansion of Telemedicine Services
As most providers are aware by now, the Department of Health and Human Services (HHS) has utilized its broad waiver authority pursuant to Section 1135(b) of the Social Security Act to relax existing regulations that may impede quick and efficient responses to the COVID-19 crisis.3 These waivers, however, require a keen awareness to compliance concerns and potential pitfalls that may arise when relying upon them.
Foremost, the HHS waivers do not abrogate or supersede state rules and regulations, and any services rendered pursuant to an 1135 waiver must still be done in compliance with applicable state law. A good example of this warning can be seen through the expansion of telemedicine in response to the COVID-19 crisis. Telemedicine is being widely promoted, particularly in light of social distancing recommendations and stay-in-place orders.
The telemedicine waivers generally provide for the following:
- Expansion of the type of providers whose services qualify for reimbursement;
- Elimination of the “originating site” requirements for telemedicine thereby allowing services to be done in the home;
- Expansion of the permissible methods to render telemedicine services, including Apple FaceTime, Facebook Messenger, Google Hangouts, Skype, etc.;
- Flexibility for providers to reduce or waive cost-sharing requirements; and
- Forbearance on conducting certain audits of telemedicine services.
State requirements for the provision of telehealth services still apply unless a corresponding waiver has been issued by the relevant state agency. For example, the Georgia Composite Medical Board which regulates physicians has issued such a waiver under Georgia R. & Reg. 360-3-07 (as amended by emergency rule change).
At the same time, both federal and state authorities have made telemedicine fraud a top enforcement priority. This was never more evident than last year’s nationwide takedown involving telemedicine companies that were responsible for over $1.7 billion in fraudulent claims to the federal health care programs. One noteworthy aspect of the takedown was the government’s zeal to prosecute individuals such as physicians, nurse practitioners, and other professionals who provided the telemedicine services to patients.
Similarly, there is little doubt that the government will examine telemedicine billing data to identify high billers and other outliers involved in the current crisis. In addition, the government will scrutinize telemedicine-related providers such as pharmacy, durable medical equipment, physical or occupational therapy, mental health, and others who bill for services pursuant to telemedicine modalities. As the pandemic subsides, the government will then seek to identify any questionable trends and suspect practices that arose and direct its investigative efforts accordingly. For example, the medical necessity (or lack thereof) of telemedicine services provided during the COVID-19 crisis will likely be scrutinized and audited at some point.
All this highlights the importance of monitoring telemedicine practices and assuring that all applicable federal and state rules are being followed, not only as they relate to licensure and scope of practice, but also billing and coding. The waivers should not be viewed as a “free for all” or an easy “opportunity to bill” for telemedicine services. Whether you or your organization utilized it before the COVID-19 crisis, now would be a good time to perform a full compliance check and risk assessment of your telemedicine services.
New Hires and Relaxation of Licensing Requirements
A cry heard often is the call for more staff and personnel to fight the pandemic. Recent reports indicate that even former and retired clinicians are being called back into service. As part of its response to COVID-19, HHS has issued a waiver that relaxes the requirement that a provider be licensed in the state in which he or she renders services as long as the individual holds a license in another state. Similarly, many states have expedited their provider licensure processes or agreed to recognize out-of-state licenses in concert with the HHS waiver. For example, the Georgia Composite Medical Board has authorized the issuance of a temporary “emergency practice permit” for providers who are licensed in another state. This waiver presumably applies to the provision of telemedicine services as well.
While this all-hands-on-deck approach is an obvious response to the growing threat of COVID-19, it does pose several compliance challenges to an organization’s commitment to providing quality care. For example, the waivers do not relieve a hospital’s responsibility to run criminal background checks, National Practitioner Databank (NPDB) inquiries, and Office of Inspector General (OIG) exclusion checks for new hires. Failing to take these steps even during the current crisis opens an organization to unwanted attention and possible legal claims like negligent hiring, negligent credentialing, and monetary liability for fines and penalties.
Protection of Patient Health Information
Another important area that has seen a number of revised rules as a result of the COVID-19 crisis relates to patient health information. In a rush to respond, it appears numerous exceptions to data security and privacy are being implemented. Accordingly, compliance policies must be reviewed and revised in light of these changes. The Microsoft Corporation recently issued a warning that it believes hospitals and health systems in particular are exposed and susceptible to ransomware attacks during the COVID-19 crisis.4
Law enforcement is certainly watching closely for those who try to exploit any resulting vulnerabilities in health information systems. In fact, the OIG identified the theft of patients’ personal information as one of its top investigative priorities in dealing with the pandemic. This investigative focus is partly attributable to the fact that numerous healthcare fraud schemes begin with theft of patient data.
Moreover, cybercrimes such as hacking, phishing, and spamming are as prevalent as ever and often serve as the launching point for major healthcare fraud schemes. These risks are even more of a challenge with so many workers working remotely from home. Compliance and privacy personnel need to be aware and able to track all individuals and business associates who access an organization’s electronic health information systems during this critical time. Once a patient’s information is compromised, copied, or stolen, that information can be sold and used to generate fake or fraudulent claims.
Outsourced Service Providers
In an effort to expand services, hospitals may seek out and contract with service providers to run one or more clinical units of a hospital. This can be an entire service line like pulmonary medicine, emergency care, wound care, or behavioral health. However, just because these units are run by another entity does not obviate the need to monitor billing and quality of care compliance. The consequences of failing to monitor the outsourced departments of your hospital are even more evident in this age of COVID-19 when entire units may be brought in to help with the response.
In particular, hospitals must have sufficient policies and procedures to ensure that these outsourced service providers are taking care to adequately document their services, to code professional and technical services correctly, and to bill appropriately. Further, hospitals ought to be conducting periodic audits and evaluations of these service lines to ensure that things are being done correctly. There have been a host of recent enforcement actions indicating that the DOJ views hospitals as equally culpable as the contracted service line providers themselves whenever improper claims are submitted for payment.
Despite new opportunities and the relaxation of regulations in response to the COVID-19 pandemic, now is not the time for hospitals and healthcare organizations to stray from their mission and commitment to compliance. It is also not the time to lose oversight of those with whom you do business. While it may appear as though fraud enforcement has diminished as a result of the current crisis, this slowdown is only temporary.
The work to address and eliminate fraud, waste, and abuse in response to COVID-19 is only beginning and will most certainly remain an enforcement priority. HHS-OIG has already updated its Work Plan to include oversight and audits related to providers’ responses to COVID-19. Furthermore, history shows that DOJ fraud investigations tend to increase following natural disasters (like hurricanes) and after large amounts of government funds are dispersed to stimulate economic growth (like after the 2008 financial crisis). Being proactive and taking steps to identify and address COVID-19 compliance concerns will serve providers well. A firm commitment to compliance as the crisis unfolds will help organizations avoid being low hanging fruit in the audits and investigations that are sure to come.