This article first appeared in the September 2012 issue of Compliance Today, a publication of the Health Care Compliance Association.

In February the Centers for Medicare & Medicaid Services (“CMS”) clarified an oft quoted existing rule: Providers must return overpayments to Medicare within 60 days “after the date on which the overpayment was identified,” or in the alternative, “the date any corresponding cost report is due, if applicable.”[1]  For providers of any size, failure to report and return Medicare overpayments pursuant to these temporal requirements may result in potential liability under the Federal False Claims Act[2], resulting in substantial monetary penalties and the risk of being denied future claims for reimbursement.

Dating back to the American Civil War, the False Claims Act (FCA) has over time become the “primary litigative tool for combating fraud” for both federal and state governments.[3] At its core, the FCA imposes liability on anyone who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval.”[4]  While most providers have worked within a similar time frame after identifying an overpayment, it appears that the statutory requirements under the 2010 Patient Protection and Affordable Care Act [5], as amended by the Health Care and Education Reconciliation Act[6] (collectively referred to as the Affordable Care Act or health care reform) were not enough.[7] In reaction, the February 2012 regulations now leave nothing to chance, imposing upon the health care industry detailed definitions with numerous examples to assist providers in determining exactly when the 60-day clock begins.[8]

To ensure that the seriousness of its resolve is understood, the Federal Government plans to soon have the authority to enforce this 60-day requirement for overpayments that have occurred up to 10 years in the past:

“In § 401.305(g), we are proposing that overpayments must be reported and returned only if a person identifies the overpayment within 10 years of the date the overpayment was received.  We selected 10 years because this is the outer limit of the False Claims Act statute of limitations.  We believe that the proposed 10-year lookback period is appropriate for several reasons.  First, we believe that providers and suppliers should have certainty after a reasonable period that they can close their books and not have ongoing liability associated with an overpayment.  We also believe that the length of the lookback period is long enough to sufficiently further our interest in ensuring that overpayments are timely returned to the Medicare Trust Funds.”[9]

Held to a standard of actual knowledge or “reckless disregard or deliberate ignorance” for purposes of identifying an overpayment under the new regulations, CMS notes these new requirements provide for “an incentive to exercise reasonable diligence to determine whether an overpayment exists,”[10] or more specifically, did exist at any time within the past 10 years. While this decade-long requirement may seem excessive in the context of accidental and unidentified overpayments, especially in instances when the provider was not knowingly at fault, it is an essential component in the arsenal of the U.S. Department of Health and Human Services (HHS), and factors highly in its $1.2 trillion projected budget for 2016.[11] Though at first glance they may seem heavy handed, such tools have grown from the necessity inherent in dealing with the oversight of national health expenditures (NHE) that have reached $2.5 trillion as of 2009.[12]

In the current climate of health care reform, providers would be wise to embrace industry innovations designed to improve upon overall integrity, efficiency and performance, especially since the same infrastructure with its 21st century precision may help to identify unintentional overpayments dating as far back as 2002. Federal encouragements toward bundling[13] and the Medicare Shared Savings Program[14], more commonly referred to as accountable care organizations or ACOs, offer opportunities for providers to keep up with these mounting regulatory burdens just as the national push toward electronic health records reaches “stage two.” What remains to be seen is how many of the nation’s estimated 6,100 hospitals[15] will embrace ACOs, with their multi-million dollar price tag, and be willing to dive into the 455 pages of codified “Stage Two” requirements.[16] Perhaps the better question is how many of these same hospitals have satisfied the meaningful use requirements from Stage One.

Of course, the Federal Government and its record-breaking enforcement efforts stand ready to address any industry resistance. In its 2011 fiscal year[17], the Department of Justice procured settlements and judgments in its civil fraud division in excess of $3 billion. Capping the largest three-year streak in the department’s history at a total of $8.7 billion since January 2009,[18] the Federal Government owes its recent success in part to a strategic alliance with beneficiaries.[19]  In November 2011, HHS announced a $9 million award from CMS to Senior Medicare Patrol (“SMP”) programs designed to tackle fraud by increasing awareness of Medicare beneficiaries and enabling them to spot Medicare fraud sooner. The OIG has even focused its attention on hospitals and the need to improve internal reporting systems that capture instances of patient harm.  Of the 189 hospitals surveyed by the OIG that use and often rely heavily upon incident reporting systems to identify patient harm, the outcomes were disturbing:

“Hospital staff did not report 86 percent of events to incident reporting systems, partly because of staff misperceptions about what constitutes patient harm. Of the events experienced by Medicare beneficiaries discharged in October 2008, hospital incident reporting systems captured only an estimated 14 percent. In the absence of clear event reporting requirements, administrators classified 86 percent of unreported events as either events that staff did not perceive as reportable (62 percent of all events) or that staff commonly reported but did not report in this case (25 percent).”[20]

Early adopters of the finest technological advances the industry has to offer may avoid the looming threat of health care’s newest, most ominous acronyms:  RACs, MACs, MICs and ZPICs. Under the aegis of the Medicare Prescription Drug, Improvement, and Modernization Act (MMA)[21], Congress directed HHS to conduct a three-year demonstration program using Recovery Audit Contractors (“RACs”) to detect and correct improper payments within Medicare. By all government accounts, the original RAC demonstration program was successful, ending with more than $1.03 billion recovered. According to CMS, approximately 96% of these payments were overpayments collected from providers (85% of which were collected from hospital providers), and the remaining 4% were underpayments.

The Deficit Reduction Act of 2005 (DRA)[22], took the partnership between the CMS and the States to a new level by introducing RAC-like audits for Medicaid.  The Medicaid Integrity Program (MIP) offers a unique opportunity to identify, recover and prevent inappropriate Medicaid payments.  Medicaid Integrity Contractors (“MICs”) work with CMS to carry out this program.  It is also designed to support the efforts of State Medicaid agencies through a combination of oversight and technical assistance.

Recently introduced Medicare Administrative Contractors (MACs) conduct medical reviews to prevent improper payment of inpatient hospital claims, while Zone Program Integrity Contractors (ZPICs) look at billing trends and patterns in an attempt to uncover Medicare fraud and inefficiencies. CMS has organized the seven jurisdictional zones for ZPICs to comport with the multiple MAC jurisdictions, hoping that ZPICs will assist in preserving the integrity of Medicare.[23]

There is a certain degree of irony in the fact that the nation’s preeminent health care system, which was originally designed to protect America’s aging population, may end up killing the very infrastructure from which it has sprung. In April 1959, the U.S. Department of Health, Education, and Welfare (“HEW”) first raised the fundamental question that remains unanswered 53 years later, as health care reform enters its third year:

“The rising cost of medical care, and particularly of hospital care, over the past decade has been felt by persons of all ages. Older persons have larger than average medical care needs.  As a group they use about two-and-a-half times as much general hospital care as the average for persons under age 65, and they have special need for long term institutional care. Their incomes are generally considerably lower than those of the rest of the population, and in many cases are either fixed or declining in amount. They have less opportunity than employed persons to spread the cost burden through health insurance. A larger proportion of the aged than of other persons must turn to public assistance for payment of their medical bills or rely on ‘free’ care from hospitals and physicians. Because both the number and proportion of older persons in the population are increasing, a satisfactory solution to the problem of paying for adequate medical care for the aged will become more rather than less important. In our society the existence of a problem does not necessarily indicate that action by the Federal Government is desirable. The basic question is: Should the Federal Government at this time undertake a new program to help pay the costs of hospital or medical care for the aged, or should it wait and see how effectively private health insurance can be expanded to provide the needed protection for older persons?”[24]

Before Medicare, federal funds flowed across  the  nation as states made much-needed disbursements consistent with Congressional requirements. In many ways Medicare’s predecessor, the Hospital Survey and Construction Act (the “Hill Burton Act”), forced communities and their local hospitals (many of which were doctor owned at the time) to work together, pooling these government grants as well as their own resources and equipment in order to stay in business.[25]

At the time, providers viewed this infusion of capital in the context of communities, rather than individual hospitals. If a local hospital needed new equipment, its leadership went to other nearby facilities or the community as a whole to fill the gap, and collectively these institutions could share in the federal funds disbursed under the aforementioned Act.[26] In many ways, 1965 found Medicare leaving the totality of America’s hospitals as isolated as critical access hospitals appear today, gradually eliminating the ability for sharing clinical resources, at least to the extent an expectation of compensation was concerned.

In the past, it was initially America’s rural hospitals that predicted Medicare’s prospective payment system would be its ultimate demise. In a statement by Republican Congressman Norman D. Shumway from California: “One area of particular concern is the impact of the prospective payment system on rural hospitals.  Such hospitals have frequently complained that the prospective payment system does not accurately reflect the increased hospital market basket since [fiscal year] 1984.”  Congressman Shumway noted that many experts in the industry concluded “with chilling thought that if inadequate Medicare reimbursement is allowed to continue, hospitals will be forced to go out of business, jeopardizing the health care – and economic stability – of rural America.”[27]

Twenty-five years later, Medicare finds itself going through a transformation that rivals the impact of its formal introduction on the existing health care structure in 1965, and not just rural and community hospitals, but also some of their larger, urban counterparts, still wait on “life support” across the nation. Medicare may not bear the ultimate blame over the decades, but the ways in which the program has served as a weathervane for the health care industry make it an easy target.  Moreover, the Federal Government’s recent well-publicized determination to eliminate health care fraud and waste has sent a message to the industry, and clarification of the 60-day overpayment reimbursement requirement underscores the speed with which the OIG intends to deliver its message.

Unfortunately, health care has never been known for responding quickly to problems.  This latest cluster of fraud and abuse regulations, combined with the nationwide push toward reimbursement based upon performance rather than cost does not bode well for smaller facilities (rural and community hospitals). Indeed, a hospital’s chance of survival in Medicare’s new world may ultimately depend on the sophistication and implementation of its core systems, both technical and practical, with little room for error.  In this vein, Medicare’s Hospital Value-Based Purchasing Program may create a disadvantage for freestanding community and rural hospitals that lack the resources of larger, better funded institutions, making it difficult for them to both implement and monitor the components established by Medicare to be eligible for reimbursement based on quality and performance.

Technology may in the long run provide an opportunity to level the playing field, but such implementations in health care can run years behind practical advances. For example, though both the Federal Government and California have recognized telemedicine as a way to reverse the declining health of the rural health system, such recognition occurred well over a decade ago,[28] and existing laws governing telemedicine today are still not entirely “hospital friendly.”[29] Such hindrances are especially important in today’s world of electronic health records, where straddling the fence between harmless information and sensitive data is no longer an easy task, and the repercussions for the slightest transgression can be severe.[30]

Even as technology provides opportunities, corresponding HIPAA violations can be devastating. If a provider had no prior knowledge that a HIPAA violation occurred, the civil penalty may range from $100 to $25,000 for each violation.[31] When a HIPAA violation has been due to reasonable cause, the civil penalty may range from $1,000 to $100,000.[32] In the case of a willfully negligent HIPAA violation, the penalty may range from $10,000 to $250,000.[33] In fact, HHS may impose cumulative penalties for all violations “of identical requirement or prohibition during a calendar year,” up to $1,500,000.[34]  And finally, in the case of an “intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the penalty may not exceed $250,000, imprisonment up to 10 years, or both.”[35]

The systemic problems facing the Medicare system today should not be underestimated, especially when escalating health care expenses threaten the system’s future sustainability.  Institutional survival, however, is also an undeniably critical component in the delivery of health care, especially if future Medicare beneficiaries intend to access the health care services to which they are entitled under any Federal health program.  Fully understanding the alternative deviates slightly from tenets of medicine and science, and perhaps is better phrased by philosopher George Berkeley:  “But, say you, surely there is nothing easier than for me to imagine trees, for instance, in a park […] and nobody by to perceive them. […] The objects of sense exist only when they are perceived; the trees therefore are in the garden […] no longer than while there is somebody by to perceive them.”[36]

---

[29]     California law, for example, has numerous obstacles with which providers must comply before employing the technology of telemedicine.  Section 2209.5(c) of the California Business and Professions Code provides:

“Prior to the delivery of health care via telemedicine, the health care practitioner who has ultimate authority over the care or primary diagnosis of the patient shall obtain verbal and written informed consent from the patient or the patient’s legal representative. The informed consent procedure shall ensure that at least all of the following information is given to the patient or the patient’s legal representative verbally and in writing:  (1) The patient or the patient’s legal representative retains the option to withhold or withdraw consent at any time without affecting the right to future care or treatment nor risking the loss or withdrawal of any program benefits to which the patient or the patient’s legal representative would otherwise be entitled.  (2) A description of the potential risks, consequences, and benefits of telemedicine.  (3) All existing confidentiality protections apply. (4) All existing laws regarding patient access to medical information and copies of medical records apply. (5) Dissemination of any patient identifiable images or information from the telemedicine interaction to researchers or other entities shall not occur without the consent of the patient.”