Deeper Than the Headlines: The Many Faces of False Claims Act Allegations

When a lot of healthcare organizations consider their risk under the False Claims Act, they often think of coding and billing errors submitted on 1500s or UBs. It’s probably the first place I’d consider looking as well for the greatest risk to a Medicare or Medicaid healthcare provider. However, it’s important to not get complacent by only looking there for risks or errors. As a compliance officer, your compliance program should not only be considering the risk under direct claims submissions to government payors, but your program should also consider other financial transactions.

For example, the DOJ recently announced the CHRISTUS/St. Vincent Medical Center (Santa Fe, NM) settlement for $12.24 Million. This settlement resolved False Claims Act allegations, but the foundation of the allegations was that St. Vincent made illegal donations to county governments. The donations were used to fund the state share of Medicaid payments to the hospital as opposed to upcoding or unbundling of procedures on a 1500 or UB, which we often read about in other enforcement headlines.

The context of the allegations was within New Mexico’s Sole Community Provider program which provided additional Medicaid dollars to hospitals. Under this program, the federal government would reimburse the state for about 75% of its cost and the state would “match” their 25% share. However, the matching funds had to consist of state or county funds, not donations from private hospitals. The purpose of the restriction on donations was supposed to serve as an incentive for the state to reduce rising Medicaid cost because state (or county) funds would be used and thus they would have “skin in the game,” so to speak. To this point, the DOJ stated, “Congress expressly intended that states and counties use their own money when seeking federal matching funds. Using local funds provides an incentive for the counties and states to, among other things, hold down costs rather than rely on non bona-fide donations by private providers.”

It was alleged that CHRISTUS/St. Vincent made the donations and as a result caused the state of New Mexico to present false claims to the federal government through the Medicaid program.  This is how the False Claims Act was implicated. The lawsuit was brought by a former county healthcare administrator who will receive $2.249 Million as her share of the recovery.

This is just one example of why a compliance program should perform a comprehensive risk assessment that looks at all the financial transactions undertaken by the organization, not just the typical area of focus of direct claims being submitted to government payors on a 1500 or UB. Scrutiny of direct claims should of course receive the attention of the compliance program, but compliance officers need to be aware of the other financial activities occurring within the organization that could also have influence on how others are submitting claims (in this case the state of New Mexico being reimbursed by the federal government through the Medicaid program).

The OIG expects organizations to perform a thoughtful, regularly conducted risk assessment resulting in an effective compliance work plan as well as auditing and monitoring based on the risks.  One might wonder if the financial transactions outlined in the allegations of the CHRISTUS/St. Vincent settlement were included in the annual risk assessment and if they were if any auditing or monitoring occurred surrounding the alleged donations to the county.
When measuring the effectiveness of an organization’s risk assessment, the OIG has recommended some of the follow areas to consider and measure:

Risk Assessment Documentation/Process Review

• Is there a documented enterprise‐wide risk assessment?
• What is the work plan creation process?
• Is internal audit included?
• Is a fraud risk assessment conducted?
• Is this information used as a basis for creating the auditing and monitoring plan or work plan?

Risk Assessment Process/Process map of Risk Assessment Process

• Who participates?
• How are topics prioritized?
• What is the process?
• How are mitigation steps determined?
• Is education provided?
• How are the results reported?

Risk-Based Work/Audit Plan

• Is the compliance work/audit plan based on a documented risk assessment and is it risk based?

Each organization’s risk assessment should be unique for that organization. Cookie cutter efforts will not get the job done.  Make sure your compliance program has access to, and is considering, all transactions and activities of the organization while it’s performing its risk assessment.  Once identified, include the specific risks in your compliance work plan and auditing and monitoring plan.