Health Care Abuse and Strategies to Avoid Violations
by Adrienne Black, Sullivan, Stolier & Resor, APLC, Lafayette, LA
Frequently there are discussions regarding healthcare fraud and abuse laws. Many providers and their compliance officers educate staff on procedures in order to avoid practices that are fraudulent, (i.e., prohibited remuneration to referral sources and other obviously fraudulent practices). Less frequently are their discussions about healthcare abuse.
Statutory and regulatory authority typically define the phrase "healthcare fraud and abuse" with a strong focus on "healthcare fraud." Regulators' seeming reluctance to define "healthcare abuse" has led to much confusion about what behaviors constitute abuse. This article will explore the expanding definition of abuse, discuss penalties for violations, and suggest measures that may prevent violations.
Definition of "Abuse"
The Centers for Medicare and Medicaid Services (CMS) has defined abuse as "payment for items or services that are billed by mistake by providers, but should not be paid for by Medicare." The only distinction between this definition and that offered for fraud is that fraud requires intentional improper billing. However, no other definitions base the distinction between fraud and abuse on a willfulness element. Indeed, the only standing regulatory definition of "abuse" is found in the Medicaid Program Integrity regulations as follows:
"Abuse" means provider practices that are inconsistent with sound fiscal, business, or medical practices, and result in an unnecessary cost to the Medicaid program, or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for healthcare. It also includes recipient practices that result in unnecessary cost to the Medicaid program.
Although only a Medicaid definition currently exists, the U.S. Department of Health and Human Services (DHHS) did consider establishing a formal definition of "abuse" for Medicare purposes. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) added Section 1128E to the Social Security Act. This provision mandated the establishment of a national Health Care Fraud and Abuse Data Collection Program, known as the Healthcare Integrity and Protection Data Bank (HIPDB). The HIPDB was designed to limit healthcare fraud and abuse by alerting federal and state government agencies and health plans to final adverse actions taken against healthcare providers, suppliers, and practitioners. To further that end, the Office of the Inspector General (OIG) within DHHS issued a proposed rule to establish a new 45 CFR part 61 to regulate HIPDB (the "proposed rule"). The statute listed a broad range of reportable actions, but failed to clarify what behaviors constitute abuse. Therefore, the proposed rule offered a definition of "healthcare abuse."
The first portion of the proposed definition was substantially similar to that in the Medicaid regulations. Interestingly, the proposed definition expanded on the Medicaid definition by incorporating "verbal, sexual, physical or mental abuse, corporal punishment, involuntary seclusion or patient neglect, or misappropriation of patient property or funds." The Secretary of DHHS went on to specifically request comments on whether a definition of "healthcare abuse" should be included in the regulations and, if so, what that definition should be. However, when the final rule was published a year later, this definition was not included in the regulations. Despite numerous responsive comments, the regulators ultimately chose to exclude a definition of abuse because "final adverse actions" was not intended to be limited to actions based on healthcare abuse. This decision expanded the types of behaviors that must be reported to the Fraud and Abuse Data Collection Program, without actually expanding the definition of abuse. Even a proposed definition for abuse, not incorporated into the final rule, provides important guidance regarding what types of behaviors will be viewed by regulators as "abusive."
Medicare Penalties for Abuse
Federal law provides that individuals and entities may be excluded from participation in federal healthcare programs for certain violations. Among the causes for mandatory exclusion is a conviction relating to patient abuse as described in the second half of the proposed rule. Had the definition of abuse included in the aforementioned proposed rule been adopted, this would be the only cause for mandatory exclusion as a result of healthcare abuse. Notably, types of fraud are specifically mentioned as causes for both mandatory and permissive exclusion, with no other specific mention of abuse. However, a portion of the statute uses language strikingly similar to that of the Medicaid definition, allowing permissive exclusion for individuals or entities that submit claims for excessive charges or unnecessary services or services that fail to meet professionally recognized standards for healthcare. Although that section never uses the word "abuse," its separation from those sections dealing with fraud and its similarity to the Medicaid definition, combined with the statute's inclusion of a mandatory exclusion for patient abuse, lends support to the proposition that Medicare has adopted the definition of abuse from the proposed rule.
Medicaid Penalties for Abuse
If this interpretation of the statute is adopted, healthcare abuse violations can lead to both mandatory and permissive exclusions, depending on the type of abuse. Mandatory exclusions must be imposed for at least five years, whereas permissive exclusions carry no specified period of exclusion. In addition to or as an alternative to exclusion, the Inspector General may impose various civil monetary penalties.
As an example, under the only type of Louisiana Medicaid law, healthcare abuse that results in a penalty is the "abuse or neglect of the elderly and disabled residents of healthcare facilities." Recall that this definition has not been adopted by the regulators; rather, it has only been suggested by the proposed rule. The types of abuse recognized by Louisiana Medicaid are physical, financial, sexual, and verbal. Penalties for such crimes include imprisonment for up to 10 years, fines up to $10,000, or exclusion from working in a healthcare facility for a minimum of five years.
Corporate Compliance Recommendations
In the event that your organization is found to have violated any federal criminal laws, the presence of a thorough corporate compliance plan may reduce the assessed penalty by up to 70%. Therefore, the potential for negative exposure and penalties upon the commission of healthcare abuse should be minimal if an organization can demonstrate its efforts to comply with all health regulations and standards. This article concludes with the following recommendations which should be followed to limit an organization's risk of committing violations and the resulting penalties in the event that a violation occurs:
- Establish a Code of Conduct expressing the organization's commitment to values, detailing a method for discovery of violations, and providing a framework for remedial action.
- Ensure and demonstrate that all members of the organization have been educated about the Code of Conduct.
- Implement policies and procedures that identify and respond to abuse-prone areas and day-to-day risks. Regularly review these policies and procedures to ensure that they reflect recent developments in the ever-changing healthcare industry.
- Ensure that there are mechanisms by which employees feel comfortable communicating their concerns regarding potential violations to management.
- Designate a compliance officer with sufficient authority, personnel, and financial resources to be effective.
- Periodically evaluate the effectiveness of the compliance program and respond to any perceived deficiencies.
Finally, depending on the location of the facility, state law should be examined for specific requirements.