With the enactment of the Deficit Reduction Act of 2005 (DRA), the Federal government has broadened its powers to investigate Medicaid fraud, waste and abuse.  The new initiatives are a joint project between the Center for Medicare & Medicaid (CMS) and state Medicaid Agencies.  Effective January 1, 2007, the DRA enhanced Medicaid enforcement actions with three new requirements.  First, Medicaid providers that receive $5 million or more in Medicaid reimbursement per calendar year must inform their employees and contractors about the federal and state False Claims laws, including whistleblower rewards and protections.  Second, if a state adopts a state False Claims Act (FCA) equivalent to the federal law, its Medicaid program will receive an increase of ten per cent reimbursement, known as Federal Financial Participation (FFP), from CMS for any recoveries made pursuant to the state law.  Third, CMS has established a Medicaid Integrity Program to conduct audits, contract with private entities to conduct audits, and provide support to state Medicaid Programs to fight fraud.  The end result will be increased investigations and audits by CMS and states, and an increase in whistleblower lawsuits.  This article discusses these three initiatives, and suggests ways a Medicaid provider can protect itself.

Employee/Contractor Education of Federal and State False Claims Laws

Prior to the enactment of the DRA, providers’ policies on compliance laws were voluntary.  This is no longer true with reference to the federal and state False Claims laws.  The federal FCA imposes liability on any person who submits a claim, or false record to the federal government in order to obtain payment, which he knows or should know is false.  This includes instances when a person uses false statements or records to retain reimbursement to which he knows the provider is not entitled.  Intent occurs when a person who acts with actual knowledge, in reckless disregard, or in deliberate ignorance of the truth or falsity of the information.  See 31 U.S.C. § 3729.  The FCA also permits a private party to bring an action on behalf of the United States alleging fraud against the government.  The “qui tam relator” relates the story on behalf of the “King.”  Commonly referred to as a whistleblower, the relator shares in a percentage of the proceeds recovered as a result of the False Claims action.  The amount is between 15 to 30% depending on the relator’s contribution to the action and whether the government intervenes.  See 31 U.S.C. § 3730.  The FCA protects qui tam relators from retribution, including being fired, demoted, suspended, threatened, harassed or discriminated against in their employment because of their participation in the action against the provider.

The DRA requires that an entity that receives $5 million in Medicaid reimbursement has a written policy that explains the following five elements:  the federal FCA, the administrative remedies and sanctions under the federal FCA, state False Claims laws including civil and criminal penalties, employee’s rights to be protected as a whistleblower under law, and detailed procedures explaining how the entity will detect and prevent fraud, waste and abuse, i.e., a compliance program.  The Department of Justice (DOJ) has provided a summary of the federal FCA for use in these policies.  The DRA does not require “training” on the federal and any state FCA; however the policies must be “disseminated” to all employees, contractors and agents of the Medicaid entity.  The form of distribution may be written or electronic, but it must be readily available to all employees, contractors and agents.  Each state Medicaid program may determine the frequency of distribution, i.e., annually. 

The policy must be distributed to contractors or agents who, on behalf of the entity, provide or monitor Medicaid health care services or items, or perform billing or coding functions.  Therefore, vendors such as the grounds maintenance or copying vendor are not included.  CMS is permitting each state Medicaid Program to determine how to enforce this provision.  For example, should existing contracts be amended to reference the DRA, or is language that the contractor will comply with all applicable federal and state laws sufficient?  Each state will decide.  Contractors, employees and agents who are given a copy of the FCA policy should be required to sign a letter or statement acknowledging receipt.  These acknowledgements should be kept by the Compliance Officer as proof of compliance with the DRA.  A provider that does not meet the $5 million threshold, but is a contractor of a Medicaid Managed Care Organization (MMCO) that does meet the threshold, must be given copies of the MMCO’s FCA policies. 

Entities are not required to create an Employee Handbook.  However, if one exists it must include the written polices on FCA.  If an employer has several handbooks for the same group of employees, the policy must be included in one handbook.  If the employer has different handbooks for different groups of employees, it must appear in each handbook.  These policies were required to be in place by January 1, 2007, unless a state applied for a delayed implementation because state legislation was required to comply, and CMS approved. 

An entity is defined by the DRA as an organization and its sub-units that furnish Medicaid health care items or services, even if the components are separately incorporated or located in different states, and use one or more provider or tax identification numbers.  The definition includes a government agency, organization, unit, corporation, partnership, or other business arrangement, whether for-profit or not-for-profit, which receives or makes payments under a Medicaid State Plan, or waiver program totaling at least $5 million.  Entities include MMCOs.  An individual investor or shareholder is not an entity solely by virtue of holding stock.  A health care system, that includes hospitals that individually do and do not receive $5 million from Medicaid, may be one entity if the parent corporation, partnership, government agency or other owner and its sub-units are all integrally involved in furnishing Medicaid items or services.  

How is the $5 million threshold determined?  Except for the year 2005 for entities that used the federal fiscal year, the year is a calendar year.  Each state Medicaid Program will decide whether to use the date of service or the date of payment in determining the $5 million amount.  The state must be consistent in its application.  Medicaid payments from different state Medicaid Programs to one entity are not aggregated to reach the $5 million.  However, if an entity that receives Medicaid funds from different states meets the $5 million threshold in one state, than all employees and contractors must receive the FCA policies, regardless of whether they are located in different states.  The cost sharing or spend down amount incurred by a Medicaid recipient is not included in determining the threshold.  However, Medicare co-payments and deductibles paid by a Medicaid Program on behalf of a Qualified Medicare Beneficiary, i.e., dually eligible patient participating in both Medicare and Medicaid, are included in determining the threshold. 

Incentives for State Medicaid Programs

State Medicaid Programs are incentivized by the DRA to adopt state False Claims laws comparable to the federal FCA.  The Medicaid program will receive 10% more reimbursement on any overpayments recovered as a result of an action brought under the state False Claims law.  Most state Medicaid Programs are funded 50% by the federal government; the federal share is called Federal Financial Participation (FFP).  The DRA increases the FFP to 60% on these overpayments.  The state False Claims law must be approved by the Office of the Inspector General (OIG) of the Department of Health & Human Services, and the DOJ.  Guidelines for approval of state False Claims laws appeared in the Federal Register on August 21, 2006.  See 71 Fed. Reg. 48552.  A state False Claims law must establish liability to the state equal to that of the federal FCA for fraudulent Medicaid claims; contain provisions that are at least as effective in rewarding and facilitating qui tam actions or whistleblower suits as those in the federal FCA; provide that a qui tam action can be filed for sixty days under seal with review by the Attorney General; and impose a civil money penalty  in an amount equal to or greater than the amount authorized by the federal FCA, which is $5,000 to $10,000 for each false claim.   The OIG and DOJ have approved the state False Claims laws of Hawaii, Illinois, Massachusetts, Nevada, New York, Tennessee, Texas, and Virginia.

New York State has been incentivized by the DRA.  The state has a newly appointed Medicaid Inspector General, who is hiring 753 investigators and auditors to examine Medicaid providers.  New York is projecting $590 million in Medicaid overpayments recovered as a result of fraud.  $8 million has been earmarked to invest in computer software that can help identify fraudulent claims, and a computer card identification program for Medicaid recipients to identify fraud committed by recipients.  

CMS is not prescribing the manner of state enforcement to ensure that an entity has complied with the DRA requirements.  However, CMS may independently determine compliance through audits of entities or require production of policies to CMS or its contractors and proof of dissemination to employees, contractors and agents.  A state may impose more stringent requirements on entities, as long as the requirements do not conflict with the DRA requirements.  A state Medicaid Program may lose FFP if it fails to comply with the DRA requirements.  Each state must have amended its State Medicaid Plan to comply with the DRA requirements by March 31, 2007, unless CMS has approved a delayed implementation.  Each state must have required entities, defined above, to disseminate policies on federal and any state False Claims laws by January 1, 2007.  Failure by an entity or provider to comply may result in loss of Medicaid reimbursement.  In New York, entities are required to submit Certifications of Compliance With Employee Education About False Claims to the Medicaid Inspector General.

CMS Medicaid Integrity Program

The DRA requires and funds CMS to establish and staff a Medicaid Integrity Program.  Previously CMS only relied on state Medicaid Fraud Control Units, which are part of the state Attorney General Offices.  The federal government is taking a more active role.  The DRA requires CMS to develop a five year plan to combat fraud.  CMS must contract with private entities to: 1) review actions of individuals and entities furnishing services or items paid for by Medicaid in order to determine whether fraud, waste or abuse has occurred, or whether the potential for fraud exists; 2) audit Medicaid claims including cost reports¹ and risk contracts; 3) identify Medicaid overpayments to providers and recipients; and 4) educate Medicaid providers, MMCOs, and recipients about quality of care and payment integrity.   Congress has approved $5 million in 2006, $50 million in 2007 and 2008, and $75 million per year thereafter for the operation of the Medicaid Integrity Program.  CMS is hiring 100 full-time employees to support and assist state Medicaid programs in combating fraud. 

The Medicaid Integrity Group is organized into four parts.  Its headquarters are located in CMS’s offices in Baltimore.  The Division of Medicaid Integrity Contracting oversees procurement and monitoring of private contractors who will perform the audits.  The Division of Fraud Research & Detection conducts research and studies of Medicaid billing data to identify aberrant billing practices.  This Division will support and assist the private audit contractors and state Medicaid Programs.  The Division of Field Operations consists of field specialists located in New York, Chicago, Atlanta, Dallas and San Francisco.  This Division reviews state Medicaid procedures and provide support and assistance to state Medicaid Program Integrity offices.

Medicaid Integrity Contractors (MICs) will include at least two types of procurements, research and audits.  CMS has awarded “umbrella contracts” to ACS Healthcare Analytics, AdvanceMed Corporation, IMS Government Solutions, The Medstat Group, and Safeguard Services LLC.  These five MICs will examine Medicaid claims data and work with the Division of Fraud Research and Detection to identify potential fraudulent claims, and specific providers to be audited.  The audits will be conducted by the Audit MICs, who will conduct post payment and cost report audits of Medicaid providers nationwide, including different types of fee for service providers, and eventually MMCO.  These post payment audits will include audits conducted on site at providers’ offices and desk audits, which is a review of records sent to the MIC by the provider.  The audit MICs will make referrals to the OIG and the State Medicaid Fraud Control Units.  However, the State Medicaid Programs will collect the overpayments.  The Audit MICs will not receive a percentage of the overpayments they identify.  These audit MIC contracts have been awarded to Booz Allen Hamilton, Inc., Fox Systems, Inc., Health Integrity, LLC, Health Management Systems, Inc., and Island Peer Review Organization, Inc.  In addition, contracts will be awarded to private entities to conduct post payment audits throughout the country.

The Medicaid Integrity Program intends to provide support and assistance to state Medicaid Programs.  The Division of Field Operations each year will review the procedures of seventeen states’ Medicaid Integrity Programs and provide technical assistance.  CMS has created a National Program Integrity Institute at the University of South Carolina to provide training, courses and certifications of state Medicaid Program Integrity staff.

What Should A Medicaid Provider Do To Protect Itself?

With all this scrutiny going on by so many different parties – federal, state, contractors and whistleblowers – it is imperative that every provider have and implement a compliance program.  What is a compliance program?  The origin is a footnote to the United States Sentencing Commission Guidelines which describes a compliance program as “an effective program to prevent and detect violations of law means a program that has been reasonably designed implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct.  Failure to prevent or detect the instant offense, by itself, does not mean that the program was not effective.  The hallmark of an effective program to prevent and detect violations of law is that the organization exercised due diligence in seeking to prevent and detect criminal conduct by its employees and other agents.”  See U.S. Sentencing Commission Guidelines § 8A 1.2, application Note 3(k). 

An effective compliance program consists of eight components.  It must have Compliance Standards and Procedures that are reasonably capable of reducing the prospect of criminal conduct.  A statement of Corporate Philosophy, a Code of Conduct and an employee manual are recommended.  The provider should have implemented Steps to Detect and Prevent Offenses which may occur in an organization engaged in providing health care services and items.  A Compliance Officer and a Compliance Committee which has the authority and responsibility to oversee the operations of the provider.  The goal is to ensure that the laws, regulations, standards and procedures of the particular type of provider are followed.  The Compliance Officer should be an individual with integrity, who is approachable by anyone and respected by his or her colleagues.  The Compliance Officer must have the confidence of senior management, and simultaneously be independent enough to report to the Board of Directors.  The provider must exercise Due Care in Delegating Discretionary Authority to individuals that the provider knows, do not have a propensity to engage in illegal activities.  For example, criminal background checks of employees should be a standard practice.  There should be Employee Training on a regular and repeated basis of the rules and policies governing the operation of the provider.  Policies should be written so that they are easy to understand and should be available, for example the DRA policies on federal and state False Claims laws.  There should be ongoing auditing and monitoring both by independent consultants hired through health care counsel to preserve attorney client privilege, and internal compliance staff to ensure compliance with rules and standards.  The provider should have a penalty free and confidential reporting mechanism, such as a hotline. The provider should implement Enforcement and Discipline of violators no matter what position they hold in the company.  Finally, the provider needs to have a Response and Prevention Procedures if a violation of the law is discovered.  The response should include an internal compliance investigation conducted by health care counsel, a voluntary disclosure if appropriate, and fixing the cause of the problem so it is not repeated.   

Conclusion

An attorney who specializes in health care should create your compliance program.  The reason is that unlike other industries, normal business practices in the health care industry may be considered a kickback for referrals or an inducement to patient to choose your provider.  To best illustrate my point, in the beverage industry, if you want to get a product on the shelf in a supermarket, you must pay for “shelf space.”  Paying for referrals in health care may land you in jail.  Business relationships among providers usually involve parties that can refer patients to each other for health care services or items.  Many of the rules are federal and have parallel state laws.  The main areas of concern are state license laws, state corporate practice of medicine laws, anti-kickback laws, physician self referral laws, patient inducement or solicitation laws, fee splitting laws, cost report rules and complex Medicare and Medicaid reimbursement rules.  This minefield of federal and state regulations can be navigated by a health care attorney with expertise in these areas.  The stakes are too high to use an attorney without health care experience.  The press is always reporting about overnight millionaires as a result of whistleblower or relator lawsuits.  In this environment, heightened by the requirements of the DRA, it is wise to protect your business and yourself from corporate and personal liability, as well as audits and investigations performed by CMS’s new Medicaid Integrity Program and the state Medicaid Fraud Control Unit.

¹ Medicaid cost reports are another area that requires special attention.  Most Medicaid programs are reimbursed based on costs and must file a cost report.   In addition, under Medicare many providers are reimbursed under a prospective payment system, but are still required to file a cost report.   In either case cost reports have an attestation that must be signed which attests that all laws are complied with.  Medicare cost report principles found in the Provider Reimbursement Manual are usually followed by Medicaid programs.  These principles include issues such as home office, shared employees, shared office space, related party rules, prudent buyer rules and allowable costs.