Compliance Institute 2021: Government Enforcement Updates
compliance, OIG, false claims act, hipaa, HCCA Institute, ebrief, OCR, skilled nursing facilities, DOJ, CIA, Compliance Institute, state enforcement, Governance and Oversight, Exclusion Monitoring, Telemedicine, Telehealth, COVID-19, HCCA, HITECH, CMPL
At this year’s HCCA’s annual Compliance Institute (CI), their 25th anniversary, I had the opportunity to hear from a number of different government enforcement agencies. Over the course of the four-day virtual conference, I sat through multiple sessions featuring speakers from the OIG, DOJ, and OCR.
With so much to take in, it took me some time to narrow down the info I thought would be most beneficial to those of you unable to attend. But at long last, here are some of my favorite sessions with speakers from government enforcement agencies with brief highlights of their messages.
Speaker: Christi Grimm, Principal Deputy Inspector General, OIG
This keynote speaker address is always one of the most important sessions provided at CI each year, and this year didn’t disappoint with the OIG providing a list of 10 OIG compliance priorities:
- Overseeing COVID-19 Relief and Response
- Realizing the Potential of Telehealth
- Ensuring Quality of Care and Patient Safety in Nursing Homes
- Advancing Health Equities
- Modernizing Program Integrity and Compliance Information
- Combating the Substance Use Disorder Epidemic
- Prioritizing Cybersecurity
- Information Blocking Enforcement
- Implementing Value-Based Care
- Strengthening Managed Care Program Integrity
A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights
Speaker: Timothy Noonan, Deputy Director, Health Information Privacy Division
HIPAA compliance is always a priority, and it was super helpful to hear from the OCR, where Mr. Noonan discussed:
- HIPAA and COVID-19
- NPRM on Modifications to the HIPAA Privacy Rule
- HITECH Amendment for “Recognized Security Practices”
- HIPAA Enforcement Trends
Of particular interest, Mr. Noonan discussed the recurring compliance issues the OCR sees as it performs investigations and audits. Some of these include failure to comply with the individual right of access, failure to complete a risk analysis, poor management of business associate agreements, lack luster access controls and poor audit controls. The last recurring issue discussed was poor information system activity review.
After speaking in this general session, Mr. Noonan also spoke in a break-out session focused entirely on “HIPAA in the time of COVID-19: Considerations for Compliance.” An interesting portion of this presentation included case studies of some recent OCR enforcement. More about these cases can be found in the slide deck.
False Claims Act Part 1 and Part 2
One of the speakers in this two-part session on the false claims act was from the DOJ, specifically, Jamie Yavelberg, Deputy Director, Fraud Section, Commercial Litigation Branch, Civil Division.
For me, one of the most interesting discussions centered on the key criteria the DOJ uses when taking into consideration an organization which self-discloses, cooperates with the DOJ and has performed remediation efforts. Some of the criteria are found in the Justice Manual § 4-4.112: Guidelines for taking disclosure, cooperation, and remediation into account in False Claims Act matters. Credit can be given for:
- Timely voluntary disclosure
- Other forms of cooperation
- Remedial Measures
- Thorough analysis of cause of underlying conduct and remediation to address the root cause
- Implementing or improving an effective compliance program to prevent recurrence
- Appropriate discipline for those responsible for the misconduct
- Additional steps demonstrating recognition of seriousness of misconduct and acceptance of responsibility
Hot Compliance and Enforcement Topics Regarding COVID-19
Speakers: Susan A. Edwards, Industry Guidance Branch—OIG and Rachael Honig, Acting U.S. Attorney for the District of New Jersey, DOJ
For months now, we’ve been hearing there would be an increase of enforcement attention on issues related to COVID-19. This session was full of such examples. A few I found particularly interesting included:
- U.S. v. Shibley (W.D. Wash. 06.29.20). Doctor allegedly submitted fraudulent PPP loan applications by misrepresenting his payroll expenses, number of employees and his prior criminal history.
- Dr. Milan Chakrabarty and Hemet Endoscopy Center Settlement (OIG 12.04.20). Doctor and endoscopy center allegedly knowingly made, used, or caused to be made false statements in a document submitted to receive PRF funds.
- U.S. v. Joseph (D. Col. 03.17.21). A physician is alleged to have transferred around $118,000 in COVID-19 relief funding from his medical business account to his personal account.
Speaker: Nicole Caucci, Exclusions Branch Reviewing Official, OIG
Exclusions checks are something compliance programs have been dealing with for many years. It was good to hear from an OIG official overseeing exclusions. This session gave some great background information on the OIG’s mandatory exclusion requirements, and their permission exclusion authority. The effects of exclusions can be serious, and includes:
No payment may be made for any items or services furnished, ordered or prescribed by an excluded individual – not just direct patient care.
- An excluded person who violates the exclusion may be subject to liability under the Civil Monetary Penalties Law (CMPL) and may be denied reinstatement.
- Potential criminal liability and civil False Claims Act (FCA) liability
- Entities that employ or contract with excluded individuals or entities may be subject to liability under the Civil Monetary Penalties Law (CMPL)
The Roles of the Compliance Officer and the General Counsel
Speaker: Laura Ellis, Senior Counsel, HHS OIG
A lot of organizations struggle defining the roles of Compliance Officer and General Counsel. Should they be the same person? Should one report to the other? How are these roles different, and what is the best practice for a compliance program? It was nice to hear from an OIG official about the OIG’s perspective on these roles. Some of the key takeaways from this session included:
- Make Compliance and Legal Separate and Coequal
- Not advisable for compliance function to be subordinate to the General Counsel
- Separating compliance function from the General Counsel establishes checks and balances to effectively achieve compliance goals
- Executive-level Compliance Officer not be, nor be subordinate to, General Counsel (CIA Language)
- Compliance Officer may not “have any responsibilities that involve acting in any capacity as legal counsel or supervising legal counsel functions.” (CIA Language)
These are just a few of the many sessions at this year’s HCCA CI that included speakers from government enforcement agencies. Hearing from such speakers is often a highlight for compliance professionals. If you didn’t get a chance to hear the above sessions, or the other sessions involving government speakers, you can access the handouts via HCCA’s Compliance Institute site.
To download this blog as a PDF, click the button below.