Close Menu
KOMahonyLaw - Law Office of Kevin P. O'Mahony
Healthcare, Business
& Litigation Services

Stark, Anti-Kickback, Civil Monetary Penalty & False Claims Act Issues

Financial relationships in healthcare raise a number of potential issues under a variety of federal and state fraud and abuse laws that don’t typically arise in other industries. The Department of Health & Human Services (“HHS”) Office of the Inspector General (“OIG”) has identified the five most important federal fraud and abuse laws that apply to physicians and health industry participants who have relationships with them. Those laws include: the Physician Self-Referral Law (“Stark Law”), the Anti-Kickback Statute (“AKS”), the False Claims Act (“FCA”), the Civil Monetary Penalties Law (“CMPL”), and the Exclusion Authorities (federal statutes under which healthcare providers may be excluded from federal healthcare programs).

Like some other states, Georgia has also enacted its own Patient Self-Referral Act (the “Georgia Stark Law”) and two separate False Claims Acts (the “State False Medicaid Claims Act” and the “Georgia Taxpayer Protection False Claims Act”). So healthcare providers and businesses in Georgia are now regulated on both the state and federal levels by numerous laws designed to prevent and punish fraud or abuse. And some of these laws may be used to help prove fraud or abuse not only when a government agency or program is involved, but also in situations in which private insurers or patients themselves pay for healthcare services.

In recent years, federal and Georgia healthcare regulators (as well as private insurers) have obtained record recoveries from civil cases alleging fraud, abuse and false claims. And most recently, the broadened statutory bases of FCA recovery established by the Patient Protection and Affordable Care Act (“ACA”) have resulted in even greater proliferation of healthcare fraud recovery actions. Moreover, under the qui tam provisions of the FCA, private individuals may file enforcement actions on behalf of the government if they learn of fraudulently submitted claims that are otherwise undetected. Known as “relators” or “whistleblowers,” these individuals may receive up to 30 percent of any successful recovery, which has led to even more lawsuits and liability.

Consequently, these healthcare fraud prevention and enforcement laws should get the careful attention – if not strike fear in the heart – of any owner or operator of a business providing healthcare services in Georgia. A brief overview of the federal laws involved follows.

The Stark Law

The Stark Law (named for Congressman Pete Stark who sponsored the initial bill) refers to prohibition of the practice of physician self-referral under circumstances where a patient is referred to a medical facility in which the referring physician or an immediate family member has a pecuniary interest. Financial relationships that may violate Stark include both ownership/investment interests and compensation arrangements, which may be direct or indirect. Violations are subject to a strict liability standard (intent to defraud need not be proved), and enforcement extends to almost any type of remuneration within the Medicare system for patient referrals, unless a specific exception applies.

Like the AKS and FCA (summarized below), penalties under Stark can be devastating. They include recovery of payments made in violation, imposition of a $23,863 per service civil monetary penalty for violations, and a monetary fine of $100,000 for each arrangement found to have willfully circumvented the statutory scheme. Because many services or claims may be billed before a potential problem is detected or an issue is raised, potential liability can easily become astronomical.

The Anti-Kickback Statute

Similar to Stark but broader, the AKS prohibits anyone from offering, paying, soliciting or receiving remuneration (monetary or otherwise) to induce or reward referrals or generate business for anyone participating in any federal healthcare program (e.g., drugs, supplies or healthcare services for Medicare or Medicaid patients). Remuneration includes anything of value and can take many forms besides cash, such as free or below-market rent, hotel stays, meals, gift cards and excessive compensation for medical directorships or consultancies.

In the medical industry, kickbacks create four concerns: (1) corruption of medical judgment, (2) overutilization, (3) increased costs to healthcare programs and beneficiaries, and (4) unfair competition.

Although neither knowledge of the AKS nor intent to commit a violation is required, the proof requirement under the AKS, unlike Stark, is knowing and willful misconduct. As a result, those found in violation of the AKS also face criminal penalties in the form of a prison term for each violation. Moreover, recent amendments to the AKS now establish that a violation of the AKS constitutes a false or fraudulent claim under the FCA, even if the service was medically necessary and properly provided.

The AKS criminalizes both sides of a kickback scheme: the payor of the kickback, and the payee (or recipient) of the kickback. On the payee side, the AKS prohibits “knowingly and willfully solicit[ing] or receiv[ing] any remuneration . . . in return for” certain enumerated actions, including making a federal healthcare program referral. Many circuit courts, including the First, Third, Fifth, Seventh and Ninth circuits, have adopted the “one purpose” rule, under which a person violates the AKS if just “one purpose” of the payment in question is to induce referrals – even if the primary purpose is something else. But under a recent case in the Eleventh Circuit (which governs AKS prosecutions in Georgia, Florida and Alabama), the court held that the AKS requires no proof of a payee’s motivation for accepting a payment. See United States v. Shah, 981 F.3d 920 (11th Cir. 2020).

Civil monetary penalties of up to three times each kickback and $50,000 per violation may be awarded under the AKS. Criminal penalties and administrative sanctions for violating the AKS include fines, jail terms and exclusion from participation in the federal healthcare programs.

“Safe harbor” rules protect certain payment and business practices that could otherwise implicate the AKS from civil and criminal prosecution. Some safe harbors address personal services and rental agreements, investments in ambulatory surgical centers, and payments to bona fide employees. But to be protected by a safe harbor, an arrangement must fit squarely in the safe harbor and satisfy all of its requirements.

The False Claims Act

The FCA permits recovery of funds from anyone who knowingly presents or causes to be presented a fraudulent claim for payment to the government. Examples of conduct that may violate the FCA include:

  • Charging or submitting claims for services that were not rendered or performed
  • Charging or submitting claims for services that were not medically necessary
  • Charging or submitting claims for services for which patients do not meet the medical criteria to receive those services
  • Charging or submitting claims under the billing credentials of a provider that did not provide services to the patient or did not provide services as detailed in the submitted claim
  • Double billing (charging more than once for the same service)
  • Changing patient diagnosis for billing purposes
  • Upcoding patient visits
  • Unbundling billing codes (e.g., billing parts of a single, whole procedure separately instead of under a comprehensive code)
  • Bundling (e.g., billing for a battery of tests when only a single test was ordered)
  • Forging physician signatures on required medical documentation
  • Billing for brand name drugs when only generic were provided
  • Billing for premium equipment but providing inferior equipment
  • Off -label marketing of pharmaceuticals
  • Failing to report and return an overpayment by the government for the sale of a good or service (violating the 60-day rule)
  • False certifications of compliance with applicable federal and state laws
  • Paying kickbacks to physicians or other medical providers to refer patients for services in violation of the Stark or Anti-Kickback laws

To establish FCA liability, it must be proven that a defendant knowingly submitted or caused to be submitted a false claim for reimbursement of services. The claim need not be entirely fraudulent in order to violate the FCA, however. Rather, the FCA prohibits use of any false statement or document in support of a claim for government funds. In addition, liability under the FCA also attaches to anyone who acts improperly to avoid having to pay money to the government (known as “reverse” false claims).

The FCA is also known for its qui tam (whistleblower) provisions, which include a strong anti-retaliation provision. With the proliferation of FCA qui tam actions, healthcare businesses of all types and sizes must not only attempt to avoid whistleblower claims by taking proactive measures to ensure compliance within the organization, they must also be careful to take concerns from potential whistleblowers seriously and not act in any way that could be viewed as retaliatory.

Financial recovery under the FCA can be crippling, with penalties per claim plus three times the government’s actual damages. On May 9, 2022, the DOJ published its Civil Monetary Penalty Inflation Adjustment for 2022. Per-claim penalties run between $12,537 and $25,076 – an increase from a previous range of $11,803 and $23,607 per violation. With an approximate 6.2% increase, the 2022 inflation-adjusted civil monetary penalty is the largest increase since 2018. However, penalties for violations after November 15, 2015 are calculated based on the penalty amounts in effect when the penalties are assessed. The 2022 inflation-adjusted civil monetary penalty amount applies to violations occurring after May 9, 2022.

In the context of Medicare billing, the potential exists for a catastrophic judgment based on the number of claims at issue. Individuals may be held responsible if found to have acted willfully, recklessly, or with deliberate ignorance in making or causing the submission of false claims. Those responsible may even face criminal charges. And, as noted above, liability under the FCA is allowable for violations of the Stark Law or AKS. So the potential for imposition of individual liability and/or criminal sanctions allows the government to obtain large settlements when it has credible allegations of FCA violations.

The Civil Monetary Penalties Law

The CMPL authorizes HHS’s Secretary to impose civil monetary penalties, an assessment, and program exclusion for various forms of fraud and abuse involving the Medicare and Medicaid programs. Penalties range from $2,000 to $100,000 for each violation, depending on the specific misconduct involved. Thus, the monetary sanctions imposed generally far exceed the damages actually sustained by the government. The OIG must only prove liability by a “preponderance of the evidence” rather than the more demanding “beyond a reasonable doubt” standard required in criminal actions. And a healthcare provider owner or operator can be held liable based on his, her or its own negligence, or the negligence of employees. There is no requirement that intent to defraud be proved.

The Eliminating Kickbacks in Recovery Act

As part of the federal government’s efforts to combat the nationwide opioid crisis, Congress enacted the Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (the “SUPPORT Act”), effective October 2018. Under two sections of the SUPPORT Act, Congress enacted the Eliminating Kickbacks in Recovery Act (“EKRA”), with the intent of prohibiting individuals from referring substance abuse patients in exchange for kickbacks to recovery homes, clinical treatment facilities and laboratories.

EKRA prohibits knowingly and willfully soliciting, receiving, offering or paying remuneration, directly or indirectly, in return for referring a patient to, or in exchange for an individual using the services of, a recovery home, clinical treatment facility, or laboratory with respect to services covered by a health care benefit program. The term “health care benefit program” includes “any public or private plan or contract affecting commerce, under which any medical benefit, item or service is provided to any individual, and includes any individual or entity who is providing a medical benefit, item or service for which payment may be made under the plan or contract.”

EKRA defines “recovery home” as “a shared living environment that is, or purports to be, free from alcohol and illicit drug use and centered on peer support and connection to services that promote sustained recovery from substance use disorders.” “Clinical treatment facility” is defined as “a medical setting, other than a hospital, that provides detoxification, risk reduction, outpatient treatment and care, residential treatment, or rehabilitation for substance use, pursuant to licensure or certification under state law.” “Laboratory” is defined to include all clinical laboratories, and thus all referrals for clinical laboratory tests implicate EKRA, regardless of whether the tests relate to substance abuse testing or treatment.

Importantly, EKRA does not define the term “referral.” Because EKRA’s prohibition against kickbacks is limited to remuneration paid in exchange for referrals or an individual’s use of services, an authoritative interpretation of the term “referral” under EKRA is necessary to determine the scope of the law. But while we await further clarification, EKRA established a new public and private payor intent-based criminal anti-kickback law that prohibits any form of remuneration in exchange for referrals to, or an individual’s use of, all entities that meet the definitions of recovery homes, clinical treatment facilities or laboratories, including referrals to laboratories unrelated to substance abuse testing or treatment.

EKRA includes eight exceptions to its broad prohibition on the payment of remuneration. Specifically, EKRA provides exceptions for the following types of arrangements, provided that they meet certain specified requirements: (1) discounts obtained by service providers; (2) payments made to employees and independent contractors that meet certain structural requirements; (3) drug manufacturer discounts provided under the Medicare coverage gap discount program; (4) arrangements that meet the personal services and management contracts safe harbor under the AKS; (5) waivers or discounts of coinsurance or copayments; (6) remuneration between healthcare entities and an individual or entity pursuant to an agreement that contributes to the availability (or enhances the quality) of services provided to medically underserved populations; (7) remuneration made pursuant to an alternative payment model or other model determined by the HHS Secretary to be necessary for care coordination or value-based care; and (8) any other regulatory safe harbor promulgated by the Attorney General in consultation with HHS’s Secretary that clarifies the exceptions described in (1) – (7) above.

While some of EKRA’s exceptions appear similar to certain exceptions and safe harbors available under the AKS, EKRA’s exceptions are inconsistent with the corresponding AKS exceptions and/or safe harbors. And because pre-existing federal laws, such as the AKS and Stark Law, govern the same arrangements implicated by EKRA, inconsistencies between EKRA and the AKS or Stark may lead to significant difficulties for healthcare providers and other entities and individuals that now must comply with EKRA in addition to pre-existing laws. For example, one important difference between EKRA’s exceptions and the AKS’s safe harbors is the absence of the AKS’s employment safe harbor under EKRA.  This means that previously compliant payment methodologies structured under the AKS’s employment safe harbor (such as paying W-2 employees volume or value-based commissions) are now at risk of violating EKRA. Moreover, state laws applicable to kickbacks, fee-splitting and self-referral may also be inconsistent with EKRA. In that regard, EKRA includes a confusingly written preemption section that specifies that (1) EKRA does not apply to conduct that is prohibited under the AKS, and (2) EKRA shall not “be construed to occupy the field in which any provisions of this section operate to the exclusion of State laws on the same subject matter.”

Similar to certain other federal laws in this area, EKRA is a criminal statute that includes a “knowing and willful” intent requirement. Violators of EKRA will be subjected to a fine of up to $200,000 or imprisonment of 10 years, or both, for each occurrence. Additionally, a violation of EKRA could have other collateral consequences, such as licensure sanctions, revocation, and exclusion from governmental healthcare programs.

EKRA is broadly drafted in a manner that requires those involved in healthcare arrangements that otherwise comply with federal and state fraud and abuse laws to reassess their compliance. Given the various areas of uncertainty created by EKRA, healthcare providers and other entities and individuals in the healthcare industry should consider taking a conservative approach when evaluating all relationships with recovery homes, clinical treatment facilities and laboratories that are governed by EKRA. Until Congress refines EKRA, or the Attorney General promulgates regulations, or there is other guidance (such as case law) interpreting EKRA, many existing relationships in the healthcare industry need to be revised in order to comply with EKRA and avoid risking criminal liability.

EKRA Enforcement Action

A medical clinic office manager’s guilty plea to one count of an EKRA violation on January 10, 2020 is believed to be the first in the nation. The case provided some initial insight into how regulators view EKRA.

Theresa Merced was the office manager of St. John Neumann’s Extended Hours Clinic, a substance abuse treatment facility in Breathitt County, Kentucky. Her husband, a physician, also worked at the clinic. According to the plea agreement filed in the United States District Court for the Eastern District of Kentucky, Merced “solicited kickbacks from “R.C.” [the Chief Executive Officer (CEO) of a clinical toxicology lab] in exchange for her referral of urine drug testing to his laboratory. The solicited kickbacks included cash payments, the hiring of employees to work in the clinic, and the payment of certain utilities.”

The plea agreement stated that Merced had direct knowledge that this arrangement was illegal because she stated that she and R.C. needed to use discretion and she did not want to “be in trouble with the law.” Merced received $4,000 as part of a total proposed cash payment of $14,000 and the hiring of five employees as requested by Merced in exchange for referrals for urine drug tests between December 2018 and August 2019. She also was charged with one count of making false statements under 18 U.S.C. § 1001 and one count of attempted tampering with records under 18 U.S.C. § 1512. She was scheduled to be sentenced in May 2020. HHS’s OIG and the Kentucky Office of Attorney General, Medicaid Fraud Control Unit led the investigation. See (Jan. 10, 2020).

This case, in which an employee of a clinic serving substance use disorder patients apparently used her ability to make referrals to testing labs for direct monetary kickbacks, appears to have been exactly what legislators contemplated in drafting EKRA to combat the opioid crisis. Ms. Merced’s actions seemed to fall squarely within the purview of EKRA, which prohibits individuals from soliciting or receiving “any remuneration (including any kickback, bribe, or rebate) directly or indirectly, overtly or covertly, in cash or in kind, in return for referring a patient or patronage to a recovery home, clinical treatment facility, or laboratory.” See 18 U.S.C. § 220(a)(1). According to the charges filed in the district court, Merced violated EKRA when she solicited and received this remuneration knowingly and willfully, in cash and in kind, in return for patient referrals to a laboratory for the furnishing of services covered by a healthcare benefit program, in or affecting interstate commerce.

EKRA currently contains seven safe harbors. But none of them appear to have been relevant to Merced’s actions. For example, EKRA allows personal services and management contracts as a safe harbor. However, these transactions must be set forth in a formal agreement and not be “determined in a manner that takes into account the volume or value of any referrals or business otherwise generated between the parties for which payment may be made in whole or in part under Medicare, Medicaid or other Federal health care programs.” And in reviewing this potential safe harbor against the facts of the Merced case, any argument that there was a principal-agent personal services and management contract between Merced and the clinical laboratory CEO was nullified by the volume-based transactions between Merced and R.C. See 18 U.S.C. § 220(b)(4); 42 C.F.R. 1001.952(d).

EKRA & Anti-Kickback Statute Comparisons

As a result of the Merced case, healthcare industry participants are now on notice as to what can constitute an EKRA violation in the eyes of the regulatory authorities. Given the interplay between the EKRA and AKS safe harbors, and other similarities such as the potential for criminal and civil penalties, it is possible that future cases could include violations of both the AKS and EKRA.

EKRA and the AKS are frequently compared, given the criminal elements in both laws, as well as the similarities and differences between the safe harbors. But EKRA is broader in some respects and narrower in others.

Under the AKS, individuals are barred from offering, paying, soliciting or receiving anything of value in exchange for patient referrals or items or services that are considered to be reimbursable by public healthcare programs such as Medicare and Medicaid, while EKRA applies to all payors. And the safe harbor inconsistencies can have important consequences for entities that have traditionally relied on compliance with AKS safe harbors.

For example, the AKS “bona fide” employee safe harbor (unlike EKRA, which places limits on referral and commission volume) does not include such barriers, exempting “any amount paid by an employer to an employee, who has a bona fide employment relationship with the employer, for employment in the furnishing of any item or service for which payment may be made in whole or in part under Medicare, Medicaid or other Federal health care programs.” In other words, the AKS makes clear that it does not prohibit payments by an employer to an employee who has a bona fide employment relationship with the employer. 42 C.F.R.  § 1001.952(i). Under this safe harbor, any payment by an employer to an employee is exempt from AKS prosecution so long as the employment relationship meets the bona fide employment test.

By contrast, EKRA exempts payments by an employer to an employee only if the payment “is not determined by or does not vary by” the number of individuals referred to the entity, the number of tests or procedures performed, or the amount billed to or received from the payer based on such referrals. 18 U.S.C. § 220(b)(2). This limitation on EKRA’s employment safe harbor is significant, since many entities subject to EKRA (such as clinical laboratories) have previously paid their sales force on a percentage-based/commission basis.

Under the AKS, if members of that sales force were bona fide employees, the employment safe harbor would protect the arrangement. But under the language of EKRA, such payments might not be protected, regardless of whether members of the sales force are W-2 bona fide employees or 1099 independent contractors. So relying solely on the AKS bona fide employee safe harbor is perilous for entities covered by EKRA (i.e., recovery homes, laboratories and clinical treatment facilities).

False Claims Act Application to EKRA

The FCA enables the federal government on its own or a private person on behalf of the government (a “relator”) to bring a case under the FCA. The federal government always remains a party of interest in any FCA case, whether or not it intervenes in a case that a relator brings.

The FCA, which also has a scienter requirement but differs from both EKRA and the AKS, sets forth “liability for any person who knowingly submits a false claim to the government or causes another to submit a false claim to the government or knowingly makes a false record or statement to get a false claim paid by the government.” The FCA imposes liability on anyone who:

(A) knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval;

(B) knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim;

(C) conspires to commit a violation of the FCA;

(D) has possession, custody, or control of property or money used, or to be used, by the Government and knowingly delivers, or causes to be delivered, less than all of that money or property;

(E) is authorized to make or deliver a document certifying receipt of property used, or to be used, by the Government and, intending to defraud the Government, makes or delivers the receipt without completely knowing that the information on the receipt is true;

(F) knowingly buys, or receives as a pledge of an obligation or debt, public property from an officer or employee of the Government, or a member of the Armed Forces, who lawfully may not sell or pledge property; or

(G) knowingly makes, uses, or causes to be made or used, a false record or statement material to an obligation to pay or transmit money or property to the Government, or knowingly conceals or knowingly and improperly avoids or decreases an obligation to pay or transmit money or property to the Government. See 31 U.S.C. § 3729(a)(1).

Under the FCA, violators must make claims knowingly, which means they “(i) have actual knowledge of the information; (ii) act in deliberate ignorance of the truth or falsity of the information; or (iii) act in reckless disregard of the truth or falsity of the information.” FCA violations can be based on directly false claims, express false certification, or implied false certification, which can be brought directly by the federal government or by a private individual plaintiff.

In Universal Health Services, Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989 (2016), the Supreme Court held that “liability can attach when the defendant submits a claim for payment that makes specific representations about the goods or services provided, but knowingly fails to disclose the defendant’s noncompliance with a statutory, regulatory or contractual requirement. In these circumstances, liability may attach if the omission renders those representations misleading.” The Fifth Circuit, in overturning a district court, has interpreted this to mean that “the Supreme Court made clear that defendants could be liable under the FCA for violation of statutory or regulatory requirements, whether or not those requirements were designated in the statute or regulation as conditions of payment.” See United States ex rel. Lemon, et al. v. Nurses to Go, Inc., Opinion, Case No. 18-2032 (5th Cir. May 7, 2019).

The FCA allows relators to allege through “qui tam” actions that third parties defrauded the federal government. Relators may receive between 15 and 25 percent of the amount recovered by the government through the qui tam action if the government intervenes, and between 25 and 30 percent of the amount recovered if the government declines to intervene. Currently, relators can use, among other types of violations, AKS violations to file qui tam actions.

A violation of the AKS can be the basis of an FCA qui tam lawsuit. How the FCA and EKRA interact from an enforcement perspective and how the federal government would perceive relators’ potential use of EKRA violations to file qui tam suits, for instance, remain open questions. In Merced, since the EKRA violation was investigated at the outset by federal and state governments, unfortunately little clarity was gained with respect to potential qui tam actions under the FCA. But there does not appear to be any reason to expect the government would, as a policy matter, oppose well-founded FCA qui tam lawsuits based on EKRA violations.

State Law & Potential EKRA Liability

Individuals who violate EKRA must also consider the potential triggering of state statutes that mirror the FCA and may introduce additional liability. The “Georgia Taxpayer Protection False Claims Act,” for example, is enforced by the Georgia Attorney General’s Office and contains many of the same liability elements as the FCA discussed above, as well as a provision that allows for its civil enforcement equivalent of FCA qui tam actions. The Georgia Attorney General’s Office has prosecuted its own version of qui tam claims under the “State False Medicaid Claims Act,” which focuses on Medicaid fraud.

Other state-level False Claims Act-type statutes can serve as further levels of regulation that could be civilly enforced against EKRA violators on top of EKRA criminal punishment. These state law causes of action are often intertwined with the federal FCA. In the instance of Medicaid fraud, for example, an individual could face civil enforcement actions by the Georgia Attorney General’s Office or potentially criminal enforcement by the Georgia Medicaid Fraud Control Unit within its office. Depending on the facts and circumstances, in addition to actions taken at the state level, such Medicaid fraud may also warrant federal review under the FCA.

Takeaways From Merced

Depending on what the evidence shows, the government has discretion to decide what law(s) to utilize as the basis or bases of its case. EKRA is now one more tool in the government’s already-formidable anti-fraud and abuse toolkit. The Merced case shows that health industry participants must remember the following: (1) a safe harbor under EKRA and the AKS must be met; (2) an EKRA violation constitutes a valid basis for a FCA case because although the government pursued Merced solely as a criminal matter, it could have brought a FCA case; and (3) EKRA, the AKS and FCA all have scienter requirements and the potential for criminal liability.

Finally, although EKRA currently applies to only three types of healthcare entities (recovery homes, laboratories and clinical treatment facilities), it is broader than the AKS since it also covers private payors. The Merced case is a strong indication of what may be coming next in terms of enforcement actions, case law and compliance programs.

EKRA Exposure Extends to Private Payers

In September 2020, the U.S. Attorney’s Office for the District of New Jersey announced that a physician had pleaded guilty to EKRA violations in a criminal prosecution. Three marketing company agents who acted as patient brokers and referral agents for various healthcare providers also pleaded guilty to healthcare fraud for their actions in referring patients to the physician’s addiction treatment facility. The information referenced the federal Substance Abuse and Mental Health Services Administration (“SAMHSA”) guidelines, which required the U.S. to establish and implement a program to improve treatment and related services to persons with substance abuse, and protect the rights of substance abusers. The charges were brought as an EKRA action and highlight the scope and breadth of potential enforcement under EKRA.

The underlying allegations showed that drug treatment facilities around the country had hired a marketing company to make patient referrals to their facilities. The treatment facilities billed private payers for the care rendered to patients. According to the allegations, upon a successful referral by the marketing company, the drug treatment facility would pay the recruiters for each such patient referral. The marketing company allegedly had a national network of recruiters or salespeople who located potential patients suffering with addiction. The recruiters would engage with potential patients about their insurance coverage to determine if they fit the patient profile required. Patients with private insurance containing healthcare coverage for substance abuse care were referred to residential treatment facilities. The physician defendant owned such a facility and entered into a marketing agreement with the company providing such referrals.

The marketing company directed the recruiters to arrange for and pay travel expenses for the patients to get them to the treatment facility. The criminal Information alleged that additional bribes were paid to the potential patients as a means of ensuring that they would agree to residential care if the patients were reluctant to seek treatment. Once the patients were accepted into the facility, the recruiters would continue to communicate with the patients to ensure the patient stayed for the minimum ten days required for sufficient payment by the insurer, regardless of quality of care or medical necessity. The physician defendant’s facility and other facilities typically paid the marketing company a fee of $5,000 to $10,000 per patient referral, with larger fees for longer lengths of stay, according to the Information. As a result, the recruiters financially benefitted more from patients who were encouraged to stay in the program for longer lengths of time and to incur greater charges against their insurance coverage.

Particularly noteworthy, the DOJ’s press release does not reference federal payers or discuss harm done to public taxpayers who help fund the Medicare and Medicaid programs. In most cases, federal healthcare fraud prosecutions have focused on federal payers and have not dealt as frequently with private payer fraud. As a result, some consultants have advised providers who wish to avoid federal prosecution to limit questionable or risky activities to those patients who are not covered by Medicare, Medicaid, or any other governmental program. But in this case, the guilty pleas for healthcare fraud and EKRA violations related specifically to privately insured patients. Consequently, this case shows that healthcare fraud prosecutions can and will extend to activities involving private payers, as well as those involving governmental programs.

Unlike the AKS safe harbors, the EKRA safe harbor for payments to “bona fide” employees and independent contractors expressly provides that payments to such personnel may not “vary by (A) the number of individuals referred to a particular . . . laboratory; (B) the number of tests or procedures performed; or (C) the amount billed to or received from, in part or in whole, the health care benefit program from the individuals referred to a particular [facility or provider].” In the New Jersey case, the amount of referral payments was based on (1) the number of patients referred in a given month, (2) the duration of the patient’s stay at the drug treatment facility, (3) the level of treatment the patient received, and (4) the patient’s type of insurance. The fact that fees paid to the marketing company and the fees paid to the recruiters increased based on revenue as well as on number of patients was a key part of the criminal charges brought. While this case was an egregious example of large sums being paid for patient referrals, a key takeaway is that commissions or fees paid on the basis of patient volume or increased reimbursement is illegal, regardless of the payer or insurance type.

Georgia’s 2021 Law Prohibiting Patient Brokering for Substance Abuse Providers

On July 1, 2021, Georgia’s new anti-kickback statute (SB 4), related to substance abuse patient brokering became effective. The law (O.C.G.A. § 26-5-80) prohibits payment, or the offer of remuneration, to induce referral of a patient to or from a substance abuse provider. Georgia enacted this statute after a pattern of substance abuse treatment centers seeking patient referrals from providers in exchange for fees was documented.

Under Georgia’s 2021 law, such payment or offers of payment in exchange for patient referrals with government or commercial insurance may result in criminal liability, including fines and imprisonment. The statute applies to any person, including any officer, partner, agent, attorney, or other representative of a firm, joint venture, partnership, business trust, syndicate, corporation, or other business entity, who engages in the proscribed conduct or participates in any such scheme.

The Georgia statute follows other state and federal laws, such as EKRA, related to substance abuse and patient brokering, which prohibit soliciting or receiving remuneration in exchange for referrals related to drug treatment services. Healthcare professionals and substance abuse treatment centers should therefore take heed and make sure they avoid violating Georgia’s statute or other applicable state and federal patient brokering laws. Healthcare professionals and organizations should also implement and maintain whatever policies and procedures are necessary to prevent prohibited referrals, and ensure that any referrals comply with exceptions permitted by applicable laws.

Even before enacting SB 4 in 2021, Georgia prohibited improper patient referrals under the Patient Self-Referral Act (O.C.G.A. § 43-1B-1, et seq.). That 1993 law remains as a broader prohibition of kickbacks for patient referrals by any provider licensed under Title 43 (including, e.g., physicians, chiropractors, podiatrists, pharmacists, etc.). As noted above, the 2021 statute prohibits any person or entity from soliciting, receiving, paying or offering to pay remuneration to induce patient referrals to or from substance abuse providers.

The 2021 Georgia statute states that remuneration includes, “but is not limited to, a commission, benefit, bonus, rebate, kickback, or bribe, directly or indirectly, in cash or in kind, or a split-fee arrangement, in any form.” A substance abuse provider includes any “state owned or state operated hospital, community mental health center, or other facility utilized for the diagnosis, care, treatment, or hospitalization of persons who are alcoholics, drug dependent individuals, or drug abusers, and any other hospital or facility within the State of Georgia approved for such purposes by the Department of Behavioral Health and Developmental Disabilities.”

Importantly, Georgia’s 2021 law applies to both public and private payers. The 2021 statute also contains exceptions, including, for example, arrangements that are not prohibited under the federal AKS and its associated safe harbors. It also includes an exception for payment, compensation or financial arrangement within a group practice as defined in Georgia’s Patient Self-Referral Act, provided that such payment, compensation or arrangement is not to or from persons who are not members of the group practice.

Georgia’s 2021 law (in O.C.G.A. § 33-1-16.1) also imposes criminal penalties for excessive and fraudulent medical testing related to the treatment of seniors, disabled individuals or individuals affected by pain, substance abuse, addiction or any disorder. Penalties for violating any part of the 2021 Georgia law include both fines and imprisonment, depending upon the number of patients involved.

Conduct in violation of the statute involving fewer than 10 patients could result in a misdemeanor punishable by a prison sentence of up to 12 months and a fine of up to $1,000 per violation. Prohibited conduct involving 10 or more patients (but fewer than 20 patients), could result in a felony punishable by imprisonment for up to 5 years and a fine of up to $100,000 per violation. And if the prohibited conduct involves 20 or more patients, it could result in a felony punishable by imprisonment for up to 10 years and a fine of up to $500,000 per violation. The provisions of this law are in addition to any other civil, administrative or criminal actions provided by law, and may be imposed against both corporate and individual defendants.

Consequently, healthcare provider individuals and entities operating in Georgia should ensure that they do not receive or pay remuneration for any referrals unless they comply with a statutory exception. For any referral arrangement made in reliance upon a permissible exception, providers should ensure that such arrangements are properly documented to align with each element of the applicable law, safe harbor or exception.

2019 Rule Expanding Anti-Fraud Measures

In September 2019, the Centers for Medicare & Medicaid Services (“CMS”) issued a final rule (84 Fed. Reg. 47794) that includes several anti-fraud measures and significantly expands the agency’s authority to exclude new and current providers and suppliers that are identified as posing an undue risk of fraud, waste or abuse. Importantly, the new measures require providers and suppliers to disclose upon CMS request and upon application for initial enrollment or revalidation, any “affiliations” with parties who have one or more defined “disclosable events.” The final rule became effective on Nov. 4, 2019.

Disclosure of Affiliations With Individuals or Entities That Have a Disclosable Event

The new disclosure measure requires all providers to disclose any current or prior affiliations (within the past five years) the provider or any of its owning or managing employees or organizations has or had with a current or former Medicare provider with a “disclosable event.”

A “disclosable event” is broadly defined to include:

  • An uncollected debt to CMS;
  • Current or previous payment suspension from a federal health care program;
  • Current or previous exclusion from a federal health care program; or
  • Previous denial, revocation, or termination of Medicare, Medicaid, or CHIP billing privileges.

“Affiliation” is also broadly defined to include:

  • A 5% or greater direct or indirect ownership in another organization;
  • A general or limited partnership interest in another organization;
  • An interest in which the entity or individual “exercises operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization”;
  • An interest in which the individual acts as “an officer or director of a corporation”; or
  • Any reassignment relationship under 42 C.F.R. § 424.80 (the “prohibition of reassignment of claims by suppliers” rule).

If there is a triggering affiliation, the provider must disclose certain information about its affiliate, such as the legal and d/b/a names, tax identification number, National Provider Identifier (“NPI”), reason for disclosure, length of the relationship, type of relationship, degree of affiliation, and (if applicable) reason for termination.

The risk in having a triggering affiliation is that CMS can deny or revoke enrollment if it determines the affiliation “poses an undue risk of fraud, waste, or abuse.” This power extends to reported and unreported affiliations. CMS can also deny enrollment or revoke an existing enrollment if it requests information about the affiliation and the provider fails to “fully and completely disclose” the required information when it “knew or should have known of th[e] information.”

Unsurprisingly, the breadth of this rule generated a significant number of comments. But a common theme of these comments was a concern over CMS’s wide discretion to determine that an affiliation will result in an undue risk of fraud, waste or abuse. CMS tried to address this concern with a mere promise that actions against a provider will only be taken “after careful consideration of the facts and circumstances.”

Other Anti-Fraud Measures

In addition to establishing the new disclosure requirement, the rule gives CMS more authority and discretion to revoke or deny Medicare enrollment. For example, CMS will now be able to revoke or deny Medicare enrollment if:

  • The agency determines that a previously excluded provider or supplier is attempting to reenter the program under a different identifier (name, numeral identifier, business identity);
  • A provider or supplier bills for services or items that it knew or should have reasonably known are from non-compliant locations;
  • A physician or eligible professional exhibits a pattern or practice of abusive ordering or certifying of Medicare Part A or Part B items, services, or drugs; or
  • A provider or supplier has an outstanding debt to CMS from an overpayment that was referred to the Treasury Department.

Other important changes include CMS’s new authority to prohibit a provider from enrolling in Medicare for up to three years if the basis for its initial enrollment denial was the submission of false or misleading information in its application, and an extension of the reenrollment bar against previously excluded providers from three to up to 10 years. Furthermore, providers or suppliers that are revoked from Medicare for a second time may be prohibited from applying to re-enroll in the program for up to 20 years.

We currently are advising clients regarding compliance with this new rule. Please let us know if you have concerns about your risk under this new rule or are interested in preparing or revising policies to comply with the new final rule.

New Stark & AKS Rules Proposed by CMS & OIG

In October 2019, CMS and OIG published proposed rules in conjunction with HHS’s “Regulatory Sprint to Coordinated Care.” The Regulatory Sprint to Coordinated Care “aims to remove potential regulatory barriers to care coordination and value-based care created by four key Federal health care laws and associated regulations: (1) the physician self-referral law [(“Stark Law”)]; (2) the anti-kickback statute [(“AKS”)]; (3) the Health Insurance Portability and Accountability Act of 1996 [(“HIPAA”)]; and (4) the rules… related to opioid and substance use disorder treatment.”

The “CMS Proposed Rule” proposed changes to the Stark Law regulations. The CMS Proposed Rule aimed “to alleviate the undue impact of the physician self-referral statute and regulations on parties that participate in alternative payment models and other novel financial arrangements and to facilitate care coordination among such parties” with new exceptions for value-based compensation arrangements between or among physicians, providers, and suppliers that “satisfy specified requirements based on the characteristics of the arrangement and the level of financial risk undertaken by the parties to the arrangement or the value-based enterprise of which they are participants.”

The CMS Proposed Rule also contained more general proposals that “seek to balance genuine program integrity concerns against the considerable burden of the physician self-referral law’s billing and claims submission prohibitions by reassessing the appropriate scope of the statute’s reach.” For instance, CMS proposed to revise the definition of “fair market value” to “eliminate the connection to the volume or value standard” and add a definition of “commercially reasonable” to mean “that the particular arrangement furthers a legitimate business purpose of the parties and is on similar terms and conditions as like arrangements.” In connection with the latter proposal, CMS proposed that “[a]n arrangement may be commercially reasonable even if it does not result in profit for one or more of the parties.”

In addition, the CMS Proposed Rule would create new exceptions for “nonabusive business practices,” including arrangements under which a physician receives limited remuneration and donations of cybersecurity technology and related services. It would also amend the existing exception for the donation of electronic health record (“EHR”) items and services, including by removing the sunset provision. CMS also specifically requested comments about price transparency in the context of the Stark Law, including whether to require cost-of-care information at the point of referrals.

The “OIG Proposed Rule” proposed regulatory changes impacting the scope of the AKS and the Civil Monetary Penalties Law. The OIG Proposed Rule would add a number of safe harbor protections, including for coordinated care and associated value-based arrangements between or among clinicians, providers, and suppliers. These would include safe harbors for: (1) care coordination arrangements aimed at improving quality and outcomes; (2) value-based arrangements with substantial downside financial risk; and (3) value-based arrangements with full financial risk. The OIG Proposed Rule would also add a safe harbor for beneficiary incentives under the Medicare Shared Savings Program and, like the CMS Proposed Rule, for donations of cybersecurity technology.

In addition to new safe harbors, the OIG Proposed Rule would also amend the existing safe harbors for EHR arrangements, warranties, local transportation, and personal services and management contracts. The OIG’s focus in the rulemaking was on ensuring protected arrangements “promote coordinated patient care and foster improved quality, better health outcomes, and improved efficiency,” and “would not be misused to perpetrate fraud and abuse.”

These proposed changes signaled broad reform in the application and enforcement of federal fraud and abuse laws, with wide-ranging implications for the types of arrangements that may be permissible for healthcare industry participants. Through these proposed rules, HHS sought to remove key burdens on providers under the Stark Law and AKS, without creating substantial risk of increased fraud and abuse. Both CMS and OIG noted the “close nexus” of the two laws, and aligned requirements between the two laws where they could, but also noted that the AKS often acts as a “backstop” to the Stark Law such that some of OIG’s proposals are stricter.

In general, most providers welcomed these proposed changes, even though many existing provider arrangements may need to be revised or terminated to comply with the amendments. The proposed changes were subject to a public comment period until December 31, 2019. According to a July 21, 2020 posting, the final rules to reform the Stark and AKS regulations were under review at the Office of Management and Budget and were still expected in 2020. However, a notice in the Federal Register on August 26, 2020 gave the agency until August 2021.

CMS & OIG Issue Stark & AKS Final Rules

On November 20, 2020, CMS and the HHS OIG issued the two highly anticipated final rules to reform the Stark Law and Anti-Kickback Statute regulations. Efforts to modernize and clarify the fraud and abuse laws began in 2018 as part of the Regulatory Sprint to Coordinated Care Initiative. The initiative is aimed at removing regulatory barriers that may hamper innovative arrangements for coordinating care consistent with a shift to a value-based healthcare system. The agencies emphasized that the final rules offer healthcare providers more flexibility to coordinate and improve care for patients, while maintaining important guardrails that prevent overutilization and fraud and abuse.

The Stark final rule creates new, permanent exceptions to the Stark Law for value-based arrangements, according to CMS. These exceptions will apply broadly to care provided to all patients, not just Medicare beneficiaries, CMS said.

The 627-page final rule also includes additional clarifications and guidance on key issues in response to stakeholder comments. For example, the final rule provides guidance on how to determine if compensation meets the requirement that compensation provided to a physician by another healthcare provider generally must be at fair market value. The rule also provides clarity and guidance on a wide range of other technical compliance requirements intended to reduce administrative burden that drives up costs, an agency fact sheet said.

In addition, the final rule includes new exceptions to provide protection for non-abusive, beneficial arrangements between physicians and other healthcare providers. These finalized exceptions provide new flexibility for certain arrangements, such as donations of cybersecurity technology that safeguard the integrity of the healthcare system, regardless of whether the parties operate in a fee-for-service or value-based payment system, the fact sheet said.

The final rule supports CMS’ “Patients over Paperwork” initiative by reducing unnecessary regulatory burdens on physicians and other healthcare providers, while reinforcing the Stark Law’s goal of protecting patients from unnecessary services and being steered to less convenient, lower quality, or more expensive services because of a physician’s financial self-interest.

The 1000-plus page AKS final rule implements seven new safe harbors, modifies four existing safe harbors, and codifies one new exception under the Beneficiary Inducements CMP. The final rule also modifies and clarifies certain provisions in response to comments received on the proposed rule.

For example, the rule clarifies how medical device manufacturers and durable medical equipment companies may participate in protected care coordination arrangements that involve digital health technology; lowers the level of “downside” financial risk parties must assume to qualify under the new safe harbor for value-based arrangements with substantial downside financial risk; and broadens the new safe harbor for cybersecurity technology and services to cover remuneration in the form of cybersecurity-related hardware, according to an agency fact sheet.

The final rules, which adopt most of the October 2019 proposals with some notable modifications, generally take effect on January 19, 2021. The Federal Register link can be accessed here. The fact sheets are available here and here. Providers should seek health law counsel to assist in determining whether their value-based activities and compensation arrangements might qualify under the new exceptions.

Recent $46 Million FCA Settlement Arising Out of Alleged Stark & AKS Violations Illustrates Risks Healthcare Providers Face

In November 2019, the Department of Justice (“DOJ”) announced a settlement with California-based Sutter Health and Sacramento Cardiovascular Surgeons Medical Group Inc. over alleged violations of the Physician Self-Referral Law and the Anti-Kickback Statute. Sutter and Sacramento Cardio agreed to pay $46 million. The whistleblower suit was brought by a former Sutter Health compliance officer who accused the hospital group of improperly billing Medicare and providing kickbacks to physicians at Sacramento Cardio for referring patients to Sutter.

Here is a portion of the DOJ’s press release, highlighting the very real risks hospitals, physicians and others in the healthcare industry face:

Several hospitals owned and operated by Sutter Health (Sutter), a California-based healthcare services provider, and Sacramento Cardiovascular Surgeons Medical Group Inc. (Sac Cardio), a practice group of three cardiovascular surgeons, have agreed to pay the United States a total of $46,123,516 to resolve allegations arising from claims they submitted to the Medicare program, the Department of Justice announced today.

The Physician Self‑Referral Law, commonly known as the Stark Law, prohibits a hospital from billing Medicare for certain services referred by physicians with whom the hospital has a financial relationship, unless that relationship satisfies one of the law’s statutory or regulatory exceptions. It is intended to ensure that medical decision-making is not influenced by improper financial incentives and is instead based on the best interests of the patient.

As part of the settlements announced today, one of Sutter’s hospitals, Sutter Memorial Center Sacramento (SMCS), has agreed to pay $30.5 million to resolve certain allegations that, from 2012 to 2014, it violated the Stark Law by billing Medicare for services referred by Sac Cardio physicians, to whom it paid amounts under a series of compensation arrangements that exceeded the fair market value of the services provided. Relatedly, Sac Cardio has agreed to pay $506,000 to resolve allegations that it knowingly submitted duplicative bills to Medicare for services performed by physician assistants that it was leasing to SMCS under one of those compensation arrangements.

“Improper financial arrangements between hospitals and physicians can influence the type and amount of health care that is provided,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division. “The Department is committed to taking action to eliminate improper inducements that can impact physician decision-making.”

“This office will continue to take all appropriate action to help ensure that the beneficiaries of federal health care programs receive services untainted by improper financial incentives,” said U.S. Attorney David L. Anderson for the Northern District of California.

“Providers must rigorously comply with the law and Medicare requirements,” said U.S. Attorney McGregor W. Scott for the Eastern District of California. “This office is committed to pursuing enforcement actions that will ensure the integrity of federal health care programs.”

Separately, Sutter has agreed to pay $15,117,516 to resolve other conduct that it self‑disclosed to the United States, principally concerning additional violations of the Stark Law. Specifically, Sutter hospitals submitted Medicare claims that resulted from referrals by physicians to whom those hospitals (1) paid compensation under personal services arrangements that exceeded the fair market value of the services provided; (2) leased office space at below-market rates; and (3) reimbursed physician-recruitment expenses that exceeded the actual recruitment expenses at issue. Additionally, several Sutter ambulatory surgical centers double-billed the Medicare program by submitting claims that included radiological services for which Medicare separately paid another entity that had performed those services.

Certain allegations relating to SMCS and Sac Cardio were originally brought by Laurie Hanvey in a lawsuit filed under the whistleblower provisions of the False Claims Act, which allow private parties to bring suit on behalf of the federal government and to share in any recovery. The whistleblower will receive $5,891,140 as her share of the federal government’s recovery in this case. The case is captioned United States ex rel. Hanvey v. Sutter Health et al., Civil Action No. 14-4100 (N.D. Cal.).

FCA Liability for Billing Under Credentials of Provider Who Didn’t Render the Services

An example of FCA liability for charging or submitting claims under the billing credentials of a provider who did not render the services to the patient occurred in a recent Georgia federal district court case. On April 20, 2022, the U.S. District Court for the Middle District of Georgia held that Middle Georgia Family Rehab, LLC (“MGFR”) and its founder and co-owner Brenda Hicks violated the FCA by submitting bills under the names of two therapists after they no longer were employed by MGFR.

The defendants admitted they submitted the claims under the therapists’ names after they left MGFR, but argued that it was a simple mistake, and therefore the government could not demonstrate the knowledge element of its FCA claim. The court disagreed, however, finding that, at the very least, the government demonstrated defendants acted with “reckless disregard” for purposes of proving knowledge under the FCA. The court said it would hold a hearing within 30 days to consider the imposition of statutory fines and penalties for the FCA violations. (The court denied the government summary judgment on its other FCA claims.)

Relator Joshua Walthour, a licensed occupational therapist who worked at MGFR for several months in 2018, filed a qui tam action against defendants, alleging they fraudulently billed the Medicare, Medicaid and TRICARE programs. The federal government intervened. The government moved for summary judgment on its claim that defendants falsely reported to government healthcare programs who was rendering services for reimbursement. Specifically, the government alleged that MGFR submitted false claims for services as rendered by three therapists—Gamal Elawad, Maren Johnson and Cassandra Frazier—but who did not actually provide the services.

Defendants acknowledged that they billed for services under Elawad’s name while he was incarcerated, under Johnson’s name after she left her employment with MGFR, and under Frazier’s name while she was out of the state and after she resigned from MGFR. But in opposing summary judgment, defendants denied that they knowingly submitted, or caused to be submitted, false claims for payment.

As to Elawad, the court agreed with defendants that a genuine issue of material fact existed on the knowledge element. Hicks and MGFR maintained that they were following guidance from government representatives in submitting claims under Elawad’s name during the relevant time period. According to Hicks, she relied on the Medicare and TRICARE helplines to obtain guidance on how to submit claims for reimbursement.

Hicks alleged that these government representatives informed her that she could bill under the names of supervising occupational or physical therapists for services rendered by physical therapy and occupational therapist assistants so long as the supervising therapist made an onsite supervisory visits every 30 days. Defendants therefore contended that Elawad’s dates of incarceration did not prevent him from supervising his physical therapy assistants consistent with the advice and direction they received from Medicare and TRICARE.

“While this may seem like a far-fetched and conveniently self-serving response,” the court declined to resolve the knowledge issue at the summary judgment stage. The court reached the same conclusion regarding the bills that defendants submitted under Frazier’s name while she was out of state citing identical reasoning. However, the court rejected defendants’ argument for claims submitted after Frazier and Johnson were no longer employed or working at MGFR.

The court refused to accept defendants’ argument that billing for services under Johnson’s name for eight months after she left MGFR amounted to “mere negligence” or an “honest mistake.” Instead, the court found the circumstances “epitomize[d] ‘reckless disregard’ of the truth” for purposes of proving the FCA knowledge element. The court reached the same conclusion for claims submitted under Frazier’s name after she resigned from MGFR.

The case is United States ex rel. Walthour v. Middle Ga. Family Rehab, LLC, No. 5:18-cv-00378-TES (M.D. Ga., Apr. 20, 2022), and it demonstrates what can happen when services are billed under the the NPI or credentials of a provider who did not actually render the services to the patient. The entity and individuals responsible for billing may be held liable under the FCA (or similar state statutes) for knowingly (or recklessly) misrepresenting the identities of the providers rendering the services underlying the specific claims.

Failure to Provide Required Supervision May Be Considered Fraud

On May 17, 2022, the DOJ announced an almost $300,000 settlement to resolve FCA allegations related to a medical facility’s claims for radiation therapy and diagnostic services that were provided without the requisite direct supervision. While the services were actually furnished to patients, the supervising physician was not immediately available to provide the direction and assistance required for coverage of such services.

This matter was brought to the government’s attention by a former employee of the medical facility as a qui tam action. And the case underscores the importance of meeting all supervision requirements before submitting a claim for reimbursement, as the failure to meet such requirements could be considered fraud.

Reporting Fraud, Waste, Abuse & Retaliation

The HHS-OIG has asked that anyone with information about waste, fraud, abuse, misconduct, or whistleblower reprisal relating to an  employee, program, contract, or grant, report it to the HHS-OIG Hotline. To learn more, visit

Virtually all reputable healthcare providers and their counsel agree that whistleblowers should report retaliation. However, most healthcare organizations try to operate in a compliant fashion, understanding that the rules and regulations are often complex. And most healthcare providers who try to be compliant hope that whistleblowers will work within the organization’s compliance program to resolve compliance issues. Indeed, many employers expressly require that their employees do so in their employment contracts. (See, e.g., the Compliance Plans & Agreements section of our Healthcare & Physician Contracts webpage for additional information.) Individuals and organizations should therefore consult legal counsel for specific advice and guidance whenever these types of issues arise.

Self-Disclosure Protocols

The HHS-OIG offers healthcare providers and organizations an opportunity to “self-disclose” certain violations in exchange for avoiding some of the more severe penalties that may otherwise apply under applicable laws, rules or regulations. However, even though the OIG’s Self-Disclosure Protocols (“SDP”) can be compelling, decisions regarding whether to utilize OIG’s self-disclosure protocols are often difficult and complex.

First, OIG’s SDP is not available in all situations. The SDP is limited to situations that potentially violate federal criminal, civil or administrative laws for which Civil Monetary Penalties (“CMPs”) are authorized. The OIG does not allow use of its SDP to merely provide opinions on whether a law was violated by the conduct described as the basis for a self-disclosure.

OIG’s SDP is also not available to disclose and possibly settle Stark Law violations that do not potentially violate the Anti-Kickback Statute. CMS maintains a separate process that can be used for Stark Law only issues. The OIG protocols are generally used where there is a potential violation of the AKS, overpayments that become False Claims under the 60-day repayment rule, and other cases or situations in which CMP statutes are potentially implicated. CMS’s Physician Self-Referral Disclosure Protocol (“SRDP”) is used for potential violations of the Stark Law.

Second, fortunately (or unfortunately), it is not always clear whether a violation of a CMP law has occurred. As anyone involved in healthcare law knows, ambiguity often exists with respect to specific billing, compensation and reimbursement rules and regulations. And the laws and other regulatory standards that govern financial arrangements and transactions in healthcare are not always clear. Nevertheless, the potential liability for making an incorrect decision about whether a violation or infraction occurred can be significant. This may impel a healthcare provider or organization to use the SDP or SRDP as a risk-mitigation mechanism, even in cases where it is unclear whether a violation has occurred.

Additional penalties may also be imposed when a healthcare provider or organization “knows or should know” that a rule or regulation has been violated or an overpayment occurred. But whether a provider “should” have known that an overpayment or other infraction occurred is often arguable and complex.

For example, failing to repay an overpayment within 60 days of gaining actual or imputed knowledge can triple the amount of penalties and add tens of thousands of dollars per claim to total penalties. It might be relatively easy to determine that a provider did not have actual knowledge as of a certain date. But it is often much more difficult to determine when the provider should have had knowledge through proper implementation of an effective compliance program.

If a date of “imputed” knowledge was more than 60 days before a date of disclosure, there is potential liability for increased damages, even if “actual” knowledge was obtained within the 60-day repayment period. (Please see our Healthcare Provider/Provider & Provider/Payer (Reimbursement) Disputes webpage for additional information.) The SDP might be considered to mitigate the potentially enhanced damages that would potentially be applicable under the False Claims Act in such situations. But the facts and applicable law are not always clear-cut.

Not every situation where there has been a billing error amounts to fraud or wrongdoing requiring use of the self-disclosure protocol. Many overpayments that are identified through an audit can be dealt with at an intermediary level. Where an investigation raises questions about whether incorrect bills were “knowingly” submitted, or shows that to be the case, the self-disclosure process may provide some mitigation of potential liability. But situations where the provider perhaps “should have known” about a violation raise more complex and difficult issues for analysis.

Generally, when errors or misbehaviors are discovered, providers are best advised to be forthright and address the matter “head on.” Healthcare lawyers generally agree it is never a good idea to simply pretend a potentially illegal situation does not exist or will never be discovered or brought to light. Violations can be reported or come to enforcers’ attention in numerous and often unexpected ways. And consequences generally get worse the longer it takes to identify and rectify a problem.

When in doubt, an internal investigation should be promptly conducted that leads to a reasoned decision about any potential violation. The SDP is available to mitigate potential damages when such an investigation reveals a violation occurred. And the SDP can be especially helpful when it appears that there is potential exposure to enhanced civil monetary penalties.

OIG’s SDP requires the disclosing party to identify the specific legal provisions that were potentially violated and acknowledge that the conduct potentially violated the identified laws. Another requirement of the SDP is that the provider or supplier identify its corrective action(s). The problematic conduct should have stopped prior to disclosure or be in the process of termination. And all other necessary corrective action should be complete and effective at the time of disclosure.

When all of the above requirements are met, as OIG’s website states, “Self-disclosure gives persons the opportunity to avoid the costs and disruptions associated with a Government-directed investigation and civil or administrative litigation.”

OIG’s Revised Self-Disclosure Protocol

On November 8, 2021, the HHS-OIG released a revised Provider Self-Disclosure Protocol, renamed the Health Care Fraud Disclosure Protocol (“SDP”). OIG published the original SDP in 1998 to establish a process for voluntarily identifying, disclosing and resolving instances of potential fraud involving federal healthcare programs. The SDP underwent major revision in April 2013, and the revisions issued in November 2021 were the first since 2013.

The revised SDP increased the minimum amounts required to settle under the protocol. For kickback-related submissions, OIG increased the minimum settlement amount to resolve a matter from $50,000 to $100,000. For all other matters accepted into the SDP, OIG now requires a minimum $20,000 settlement, up from $10,000 in the 2013 SDP. The revisions reflect new statutory minimum penalty amounts that OIG is authorized to impose. (Current CMP maximum adjusted penalties can be found at 45 C.F.R. § 102.3.)

Under the revised SDP, providers must make submissions through OIG’s website and no longer have a mail-in option. The revisions also clarify that grant recipients and federal contractors should use OIG’s Grant Self-Disclosure Program or OIG’s Contractor Self Disclosure Program rather than the SDP to make disclosures.

OIG also clarifies that while corporate integrity agreement (“CIA”) reportable events can be disclosed under the SDP, the disclosure must now reference that the disclosing party is subject to a CIA. The disclosure also must be sent to the disclosing party’s OIG monitor. And any disclosures that are reportable events under the CIA must also be reported as such to OIG. (See the Compliance Plans & Agreements section of our Healthcare & Physician Contracts webpage for additional information.)

OIG requires that parties provide an estimate of damages. In the revised SDP, OIG clarifies that this estimate must include an itemization of damages for each federal healthcare program, and a total of damages for all federal healthcare programs.

OIG further clarified that the Department of Justice sometimes settles SDP cases. In the SDP, OIG states that it coordinates with DOJ to resolve civil and criminal matters, and any disclosure of criminal conduct through the SDP will be referred to DOJ for resolution. OIG states that it will “advocate that the disclosing party receives a benefit from disclosure under the SDP” for civil matters. In the 2013 version of the SDP, OIG included this same language regarding criminal matters. However, OIG removed this reference for criminal matters in the revised SDP. Whether the SDP’s current advocacy limitation to civil matters is significant remains to be seen, as new cases work their way through the SDP process. Sentencing Guidelines used for criminal cases allow “credit” for compliance efforts, but the SDP’s advocacy change may indicate an increasing intolerance for healthcare fraud that the government believes rises to a level of criminality. Or it may simply reflect a realignment of enforcement authorities.

In the revised SDP, OIG made technical changes to statistics, terminology and background facts. The revised SDP reported that between 1998 and 2020, OIG resolved over 2,200 disclosures, resulting in recoveries of more than $870 million to federal healthcare programs. The revised SDP does not change timelines and content requirements for disclosures, methods for calculating damages, or a timely settlement with a lower multiplier and exclusion release.

The revised SDP shows that OIG continues to expect providers and suppliers to identify, rectify, report and resolve instances of potential fraud involving federal healthcare programs. The SDP provides a process for possibly reducing potential penalties. But to utilize the SDP, healthcare providers and suppliers must have an active and effective compliance program in place that can identify potentially fraudulent conduct, stop it, and address the consequences. For additional information, please see

DOJ’s Voluntary Self-Disclosure Policy

In February of 2023, the DOJ issued a press release highlighting its Voluntary Self-Disclosure (“VSD”) Policy for U.S. Attorney’s Offices (“USAOs”). The DOJ developed this policy, which is applicable to each of the 93 USAOs nationwide, several months after the September 15, 2022 Monaco Memo, which required each DOJ component to create and publish a self-disclosure policy. For healthcare organizations, the DOJ’s VSD policy is another self-disclosure procedure that must be considered for potential fraud and abuse violations subject to OIG or CMS enforcement.

The stated purpose of the DOJ VSD policy is to “to standardize how VSDs are defined and credited by USAOs nationwide, and to incentivize companies to maintain effective compliance programs capable of identifying misconduct, expeditiously and voluntarily disclose and remediate misconduct, and cooperate fully with the government in corporate criminal investigations.”

Key elements of DOJ’s VSD policy include:

  • A requirement that corporate self-disclosures be timely, coupled with guidance that a company is considered to have made a timely VSD if the company discloses the misconduct (1) when it becomes aware of the misconduct by employees or agents; (2) before that misconduct is publicly reported or otherwise known to the DOJ; and (3) in a manner that discloses all relevant facts known to it about the misconduct to a USAO in a timely fashion prior to an imminent threat of disclosure or government investigation.
  • A company that fully self-discloses under the policy and meets all other requirements, in the absence of any aggravating factors, will receive significant benefits, including that the USAO will not seek a guilty plea, may choose not to impose any criminal penalty and, in any event, will not impose a criminal penalty that is greater than 50% below the low end of the sentencing guidelines fine range and will not seek the imposition of an independent compliance monitor if the company demonstrates that it has implemented and tested an effective compliance program.

The policy identifies three aggravating factors that may warrant a USAO seeking a guilty plea even if the other requirements of the VSD policy are met. Those aggravating factors are: (1) the misconduct poses a grave threat to national security, public health, or the environment; (2) the misconduct is deeply pervasive throughout the company; or (3) the misconduct involves current executive management of the company.

It is unclear as of this writing how DOJ will interpret or implement its policy with respect to healthcare organizations or other companies outside the healthcare industry. But as a result of the VSD policy, healthcare entities must ask themselves numerous questions in deciding whether they should voluntarily self-disclose misconduct. Some of those questions include the following:

When does an organization become aware of facts or circumstances requiring or warranting self-disclosure?

Many large healthcare organizations have whistleblower hotlines in place. Those companies might get dozens, or even hundreds, of hotline calls that lead to no action being taken, whether the company conducts an in-house investigation of the call or retains outside counsel to do so. This raises an important question regarding how the DOJ will interpret the VSD policy’s requirement that companies report “when they become aware” of misconduct. Will the DOJ, for example, interpret that requirement to mean “when the first call comes in to the company’s internal whistleblower hotline?” And, if so, does that mean that companies investigating calls rather than immediately making self-disclosures will be considered ineligible for credit under the policy? For healthcare providers, for example, such a strict interpretation would interfere with the well-established six-month reasonable diligence period for investigating potential Medicare overpayments, before the 60-day repayment window provided by Section 1128J(d)2) of the Social Security Act begins.

If the DOJ adopts such an interpretation of the timeliness requirement, it could prove unworkable for many large healthcare companies. For healthcare providers receiving Medicare funds, in particular, it would conflict with the HHS-OIG Health Care Fraud Self-Disclosure Protocol, which requires that a reporting party conduct an internal investigation and report its findings to OIG before it can be considered for admission into the SDP. Similarly, the CMS Voluntary Self-Referral Disclosure Protocol contemplates that the reporting party will conduct a “reasonable assessment” and identify actual or potential violations prior to self-disclosure. The uncertainty of the VSD policy on this point might result in healthcare companies, in particular, having to question whether their disclosure, if not made immediately upon receipt of a whistleblower call, will be deemed timely by the DOJ.

In addition, it is easy to imagine a scenario in which a healthcare organization or provider decides to conduct an internal investigation to ascertain whether an internally reported complaint has any viability, only to learn during the pendency of the investigation that the whistleblower has already alerted the government, either personally or through counsel. In such a scenario, would the company be precluded from taking advantage of the DOJ VSD policy if it subsequently discloses the results of its investigation to the DOJ immediately upon its conclusion? At this stage, the policy does not provide an answer.

What is “otherwise known to the DOJ”?

Also uncertain is the interaction of DOJ’s VSD policy with the self-disclosure protocols of other agencies. As noted above, healthcare organizations are subject to several other self-disclosure procedures, including the OIG’s SDP and CMS’ SRDP. Under these protocols, the OIG and CMS will often notify the DOJ of a disclosed actual or potential fraud and abuse violation. As a coordinating agency, the DOJ is then able to elect whether it will participate in the settlement process. In fact, the OIG SDP makes clear that if the DOJ decides to get involved, the “DOJ determines the approach in cases in which it is involved. OIG also coordinates with DOJ on disclosures involving potential criminal conduct. OIG’s Office of Investigations investigates criminal matters, and any disclosure of criminal conduct through the SDP will be referred to DOJ for resolution.”

However, the VSD policy states that a healthcare organization must disclose misconduct before it is “otherwise known to the DOJ.” But what if the DOJ is made aware of the conduct due to the healthcare organization’s self-disclosure to the OIG or CMS? Must any disclosure to the OIG or CMS be simultaneously made to the DOJ (or made to the DOJ beforehand), even if the DOJ may ultimately elect not to participate in the settlement? It is conceivable that a healthcare organization or provider conducting an internal investigation of Medicare overbilling allegations, for example, in an effort to attempt to take advantage of the OIG SDP or CMS SRDP, may be precluded from taking advantage of the DOJ VSD safe harbor if the DOJ deems the disclosure to be already known to the DOJ.

What constitutes “misconduct by employees or agents”?

In addition to the timeliness requirement discussed above, the VSD policy requires self-disclosure of a broad scope of information, namely, any “misconduct by employees or agents.” This phrase is undefined. Questions therefore include the following: must a healthcare organization or provider report to the DOJ everything and anything, anytime it gets even a whiff of any sort of employee misconduct? Or is there some de minimis threshold of “misconduct” evidence that must be met to trigger the requirement?

Similarly, how does the VSD policy relate to or apply employment and agency law? For instance, hospitals often grant hospital privileges to members of its medical staff who are not “employees,” and many use per diem and travel nurses who are typically independent contractors for tax purposes. Where should healthcare organizations and medical practices draw the line between “employees or agents” and independent contractors or service providers? Does it matter the capacity in which the individual was acting during the conduct in question? If a per diem nurse’s conduct was, for example, beyond the scope of his/her contracted-for relationship, must a hospital report it? Because the VSD policy does not provide direct answers to these questions, healthcare organizations must decide and try to anticipate how the DOJ will view these issues.

What are “all relevant facts”?

The VSD policy requires disclosure of “all relevant facts.” Unfortunately, however, determining precisely which facts are “relevant” is often difficult, even with perfect hindsight, much less early on, before a thorough investigation is fully complete. Does the DOJ, for example, expect healthcare organizations and providers to apply the broadest possible interpretation of the word “relevant”? In other words, is the broad “relevance” standard in civil discovery (i.e., all facts which could lead to the discovery of admissible evidence) applicable? Or does “relevance” depend on the specific circumstances of the potential misconduct being disclosed, thereby making the term more like a higher “materiality” standard? How can healthcare organizations and providers protect themselves without disclosing more than is necessary, required or appropriate to receive the policy’s benefits? Are there exceptions to the “all relevant facts” requirement for confidential or protected health information? The concern that a healthcare provider’s disclosure — even one made in the utmost good faith — might be deemed an insufficiently full disclosure of “all relevant facts” might be a barrier to healthcare entities voluntarily self-disclosing potential misconduct.

What constitutes “in a timely fashion”?

The timeliness issue is tied into the uncertainty raised by the phrase “when it becomes aware.” Unlike the DOJ’s Criminal Division’s recently updated Corporate Enforcement and Voluntary Self-Disclosure Policy — which specifically requires self-disclosure “at the earliest possible time,” even if a company has not completed its internal investigation — the new VSD policy is silent on the issue. It therefore is unknown how the DOJ will interpret the term “timely” under the VSD policy. Is it “as soon as humanly possible,” or is disclosure “within a reasonable time” satisfactory?

Although currently uncertain, we presume that the DOJ is likely to assess timeliness similarly under both the Criminal Division policy and the VSD policy. For example, healthcare providers faced with potential overbilling issues have historically operated under the OIG’s SDP and CMS’ SRDP timetable, and generally conduct internal investigations to determine whether there was overbilling before facing the 60-day deadline. The VSD policy adds a new issue: does a provider now have to choose between the DOJ’s VSD policy and the applicable OIG SDP/CMS SRDP? Will an internal investigation conducted with reasonable diligence serve to “toll” the VSD policy’s definition of “timely” much the way it tolls the running of the 60-day overpayment repayment obligation? The answer will probably depend on the specific facts and circumstances of each case, including information reported to the company, information the company obtains through an internal investigation, and the chronology of events. In any case, the burden almost certainly will remain on the company to show that its disclosure was “timely.” It seems impractical to expect a large company to immediately disclose every complaint it receives from its whistleblower hotline to the DOJ. In most cases, companies will want and presumably need to investigate complaints to weed out those that have no merit before notifying the DOJ or another agency about potential misconduct. But the DOJ VSD policy does not expressly say whether such a normally prudent course of action will entitle the entity to the safe harbor the VSD policy potentially offers.

Despite the uncertainty surrounding the DOJ’s interpretation and implementation, the new DOJ VSD policy creates strong incentives for robust compliance programs and internal investigation capabilities. The potential benefits the new DOJ VSD policy offers are designed to incentivize more self-disclosures. Avoiding criminal prosecution by obtaining a non-prosecution agreement (“NPA”) or obtaining a reduced fine for self-disclosure are powerful incentives. These potential benefits should motivate healthcare organizations and providers that do not already have strong compliance programs to develop and implement such programs promptly. The policy should also lead all healthcare entities to encourage internal reporting and quickly undertake internal investigations by in-house counsel or outside attorneys to hopefully identify serious issues before the government becomes involved. Only by doing so can companies preserve their ability to take advantage of the policy’s potential benefits.

Given the numerous legal and regulatory requirements governing the healthcare industry, conducting prompt internal investigations is particularly important for healthcare organizations. Only by completing prompt investigations can companies make informed decisions about whether to voluntarily self-disclose violations to the DOJ or other agencies. Without compliance programs, internal reporting mechanisms, and investigation protocols already in place, companies are unable to intelligently consider whether to make voluntary a self-disclosure that might be deemed to fall within the new policy’s requirements.

While it remains to be seen how the DOJ will interpret the new policy’s language and how often NPAs will be given or reduced sanctions imposed, it is nonetheless important that healthcare organizations develop, implement and abide by robust compliance programs, including prompt investigations of internally reported misconduct allegations. Using experienced outside counsel to help facilitate development and implementation of these proactive steps is something companies should also strongly consider, particularly when allegations are serious or maintaining the attorney-client privilege is crucial. Given the uncertainties about how the new policy will be interpreted and applied, and the uncertainty regarding whether a disclosure will result in an NPA, there is a risk that a disclosure could serve as a roadmap for charges. But engaging outside counsel experienced in dealing with the DOJ and relevant USAO can help healthcare organizations address these concerns through submission of a well-crafted disclosure that maximizes the likelihood of obtaining an NPA and minimizes the risk of indictment or other adverse action.

OIG Expands its FAQ Process

In the spring of 2023, HHS-OIG announced that it is expanding its frequently asked question (“FAQ”) process to provide informal feedback on topics including the anti-kickback statute, the civil monetary penalty law, and OIG’s enforcement authority under these statutes. These topics are in addition to the current topics covered by the OIG’s FAQs, which address advisory opinions, corporate integrity agreements, exclusions, and contractor self-disclosures. The OIG noted that its feedback is non-binding, the FAQs do not give a party prospective immunity, and it may choose to not respond to a particular question. Additionally, while the OIG will not include a party’s identifying information in an answer, the OIG noted that information submitted with a question may be available to the public under the Freedom of Information Act.

COVID-19 Fraud Enforcement & Telehealth

As the COVID-19 pandemic put enormous, new strains on the healthcare system, the federal government, state government and health insurers all urged providers and patients to utilize telehealth services for both COVID-19 testing and non-emergent conditions, to help minimize potential coronavirus exposure and preserve scarce healthcare resources. To encourage providers to implement telehealth services in their medical practices and treatment regimens, the government relaxed certain healthcare industry rules and regulations to make it easier for providers and patients to engage in proper telehealth consultations.

For example, under new rules announced on March 30, 2020 and effective retroactively to March 1, 2020, hospitals were allowed to offer healthcare providers free meals, laundry or child care services — things that are typically barred under Stark or anti-kickback laws. (A summary of CMS’s blanket waivers of certain self-referral prohibitions contained in the federal Stark Law appears here. And a summary of all of CMS’s COVID-19 Emergency Declaration Blanket Waivers for Health Care Providers is here.) Notably, however, the Stark blanket waiver would protect only remuneration and referrals that are related to a broad set of COVID-19 purposes.

Similarly, on April 3, 2020, the HHS OIG issued a statement that it would not impose administrative sanctions under the AKS for remuneration related to COVID-19 covered by the blanket waivers issued by the Secretary. After finding a public health emergency due to the COVID-19 outbreak, the Secretary issued blanket waivers to help ensure availability of sufficient care for Medicare, Medicaid, and Children’s Health Insurance Program recipients who are in an emergency area, and to exempt providers from sanctions who render services in good faith, but due to the crisis, were unable to comply with self-referral prohibitions. OIG’s full Policy Statement Regarding Application of Certain Administrative Enforcement Authorities Due to Declaration of Coronavirus Disease 2019 (COVID-19) Outbreak in the United States as a National Emergency is available here. And OIG’s fact sheet appears here.

CMS has also waived certain Medicare reimbursement requirements, including that a medical visit must occur at an originating site. The Drug Enforcement Administration waived certain restrictions that previously prohibited prescribing opioids via telehealth. And states, including Georgia, waived certain Medicaid requirements, including allowing telehealth as a means to establish certain physician-patient relationships.

These loosened regulations and increased reimbursements presented significant opportunities for healthcare providers, telehealth companies, and technology companies. But they also inevitably led and will lead to heightened government scrutiny and oversight. While the current, temporary regulatory landscape certainly eases the requirements for telehealth, it does not eliminate the applicability of the Stark Law, Anti-Kickback Statute, False Claims Act, or similar state anti-fraud or abuse laws. Moreover, as relaxed regulations are implemented and billions of dollars of relief funds are paid, heightened government enforcement will only continue to expand going forward.

Prior federal stimulus efforts showed high risks of fraud and abuse. Consequently, government enforcers are taking proactive measures to combat fraud and abuse resulting from the coronavirus pandemic response. In particular, the government is focused on investigating and prosecuting efforts to take advantage of the pandemic by selling fraudulent services and treatments. At the same time, regulations concerning stimulus money and guidance related to the Stark blanket waivers and other regulatory announcements are evolving and subject to different interpretations.

Additionally, as telemedicine expands its essential role in the post-COVID-19 healthcare system, the federal government has increased its efforts to ensure that fraud and kickbacks do not interfere with legitimate patient referrals for telehealth services. As noted above, in March 2020, HHS’ OIG lifted some restrictions on telemedicine to make healthcare more accessible as the nation grappled with the effects of COVID-19. Among the restrictions that were lifted, telemedicine providers have been permitted to reduce or waive patient deductibles and copayments for telehealth services paid for by federal healthcare programs, something that otherwise would be considered a kickback and thus illegal under the AKS.

As a result of the increased telemedicine flexibility, the OIG has increased its efforts to combat fraud in telemedicine through “Operation Brace Yourself” and “Operation Double Helix,” two operations designed to ensure that patient referrals are based on sound medical advice and not financial greed. An inter-agency coalition, which includes HHS’ OIG and the DOJ, has increased efforts to investigate claims of potential telemedicine fraud. On July 9, 2020, the U.S. Attorney for the Southern District of Georgia reported obtaining a guilty plea for an alleged $60 million telemedicine scheme. This telemedicine prosecution was only the latest in more than $480 million of alleged fraud cases brought by the U.S. Attorney’s Office as of July 2020.

Healthcare professionals and organizations who utilize telehealth and telemedicine must be vigilant regarding potential fraud, waste and abuse risks. That is particularly true when engaging with marketing entities, lead generators and call centers.

Telemedicine providers should therefore thoroughly evaluate their financial arrangements with referral providers to ensure they remain compliant with current laws as the legal landscape continues to change. And before engaging in telehealth services of any kind, healthcare providers and businesses should familiarize themselves with the latest rules and regulations, and seek legal guidance to ensure compliance.

OIG Flexibilities End on May 11, 2023

The HHS OIG announced that its flexibilities end when the federal public health emergency expires on May 11, 2023. In response to the PHE, the OIG had published two policy statements: one indicated that the OIG would not subject providers to administrative sanctions for reducing or waiving certain patient cost-sharing obligations in response to the PHE, and the other indicated that the OIG would exercise its enforcement discretion and not impose administrative sanctions for certain remuneration related to COVID-19 and covered by the CMS’s blanket waivers. The OIG also published FAQs on arrangements connected to COVID-19. Although the OIG indicated these flexibilities end on May 11, the OIG also highlighted its statement in the FAQs indicating that, “Given the unique circumstances surrounding the public health emergency, OIG may take a different position on arrangements that are the same or similar in nature that existed before the effective date of the COVID-19 Declaration or after the time such COVID-19 Declaration ends.”

Georgia Law Enforcement Agencies’ COVID Fraud Task Force

In April 2020, the three United States Attorneys Offices in Georgia, along with the Georgia Attorney General’s Office and the Office of the Governor, announced a new COVID-19 Fraud Task Force, which they said was “aimed at better protecting the citizens of Georgia from criminal fraud arising from the pandemic.” The DOJ’s press release stated:

“The task force will enhance communication between partner agencies and more rapidly share information about COVID-19 fraud, while ensuring each fraud complaint is reported to the appropriate prosecuting agency. Task force member agencies include the Office of the Governor of Georgia, the Office of the Attorney General of Georgia, the U.S. Attorney’s Office for the Northern District of Georgia, the U.S. Attorney’s Office for the Middle District of Georgia and the U.S. Attorney’s Office for the Southern District of Georgia. Georgia’s three U.S. Attorneys, the Attorney General of Georgia and the Executive Counsel for the Governor’s Office serve on the task force.”

The Press Release listed the following examples of COVID-19-related fraud that the Task Force is targeting:

  • Treatment scams: Scammers are selling fake vaccines, medicines, and cures for COVID-19.
  • Supply scams: Scammers are claiming they have in-demand products, like cleaning and household supplies, and medical supplies, but when an order is placed, the scammer takes the money and never delivers the order.
  • Charity scams: Scammers are fraudulently soliciting donations for non-existent charities to help people affected by the COVID-19 crisis. Scammers often use names that are similar to the names of real charities.
  • Phishing scams: Scammers, posing as national and global health authorities, such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC), are sending fake emails and texts to trick the recipient into sharing personal information like account numbers, Social Security numbers, and login IDs and passwords.
  • App scams: Scammers are creating COVID-19 related apps that contain malware designed to steal the user’s personal information.
  • Provider scams: Scammers pretending to be doctors and hospitals demand payment for COVID-19 treatment allegedly provided to a friend or family member of the victim.
  • Investment scams: To promote the sale of stock in certain companies—particularly small companies, about which there is little publicly available information—scammers are making false and misleading claims that those companies can prevent, detect or cure COVID-19.

The formation of this Task Force, in combination with other recent statements by the DOJ and State AGs regarding combating COVID-19-related fraud, demonstrates that detecting and punishing such fraud is a top government law enforcement priority at this time, and will be for the foreseeable future. Healthcare providers and businesses should therefore expect an increase in criminal prosecutions and civil and administrative enforcement actions going forward. (See, e.g., and

Besides enforcement actions relating to telehealth, COVID testing and treatment scams, and opioid schemes, government agencies are also investigating and pursuing numerous allegations of potential fraud relating to the Coronavirus Aid, Relief and Economic Security Act (the “CARES Act”) and Paycheck Protection Program (the “PPP”). If you, your practice or your company receive any communication from the DOJ, FBI, HHS-OIG, GBI, Georgia Attorney General’s Office, or any other federal or Georgia enforcement agency, regarding potential fraud related to any of these issues, you should contact legal counsel promptly.

COVID-19 Vaccine Program Provider Fraud Policy & Accountability

On February 19, 2021, healthcare providers administering vaccines in Georgia were instructed by the Georgia Department of Public Health (“DPH”) to read and sign a vaccine provider policy and agreement by March 1, 2021, to ensure their continued participation in the vaccine administration program. Vaccine providers in Georgia must sign the document and promise adherence to the state policy. This policy provides programmatic direction to limit fraud in the CDC’s COVID-19 Vaccine Program (“Program”). Providers who enroll in the Program are required to adhere to all the requirements outlined in the Program Provider Enrollment Agreement (“Agreement”).

COVID-19 vaccines supplied through the Georgia Department of Public Health Georgia Immunization Program (“DPH/GIP”) are funded through the Program, and are administered in accordance with federal and state laws, regulations and issued guidance. Program Providers must administer vaccine in accordance with the DPH published COVID-19 Vaccination Plan (“Plan”), found at:

Program Providers are prohibited from selling program vaccines, receiving any inducement, whether direct or indirect, for vaccinating (or providing Program vaccine to be used for vaccinating) any individual who is not currently eligible to receive Program vaccine as a member of a group currently authorized under DPH’s Plan, or otherwise diverting Program vaccine from the Program. According to DPH, such use constitutes fraud, is a violation of the terms of the Agreement, and shall be cause for immediate termination from the Program and criminal or civil prosecution for violation of 18 U.S.C. § 1001 or other relevant federal statutes.

The DPH Administrative Order for Vaccine Usage and Accountability dated February 18, 2021, outlines the penalties for not following guidelines. Potential offenses targeted by the state include vaccinations done “outside of Georgia’s current phase as reflected on DPH’s website, except as set forth in the Accountability and Waste Avoidance Policy to avoid wasting vaccine.’’ Other penalties relate to providers who:

  • fail to report vaccine administration data into the Georgia Registry of Immunization Transactions and Services (“GRITS”) within 24 hours of administration;
  • knowingly vaccinate people who do not live or work in Georgia;
  • refuse to vaccinate an eligible person from a different Georgia county than the provider; or
  • fail to use all reasonable efforts to administer a second dose to vaccine recipients who received a first dose from the provider.

The state also outlined penalties for not reporting to the immunization registry the vaccine doses administered. Penalties include written warnings, suspension or termination from the vaccine Program, and a moratorium on receiving shipments of doses. Under recently published state rules, providers will receive a 45-day suspension the first time they are found to have vaccinated someone not yet eligible; they will be terminated from the vaccination program for a second offense. Those rules describe other types of violations and penalties, such as a warning for a first offense, followed by a two-week moratorium on vaccine shipments for a second offense, of inoculating someone who neither lives nor works in Georgia.

Providers with questions about the Plan, including questions about the current phase or populations eligible to receive vaccine under the current phase, should consult with DPH/GIP staff prior to administering vaccine. (Please see also our Medical & Professional Licensing Board Matters webpage for additional details regarding COVID-19 Emergency Practice, Telehealth & Teleprescribing Measures. See our HIPAA, Health Information Privacy & Security Compliance webpage for details regarding HIPAA Compliance & Waivers During the COVID-19 Pandemic. And see our Healthcare Provider/Provider & Provider/Payer Disputes webpage for details regarding Coronavirus/COVID-19 Pandemic Reimbursement Updates.)

Conclusion/How We Can Help

With enactment of the ACA and EKRA, the government’s healthcare fraud prevention and enforcement actions via Stark, the AKS and FCA have been strengthened and expanded further. And because violations of Stark and the AKS are now statutorily grafted into the FCA, individuals or entities found in violation of any of those three laws automatically face the severe civil penalties established by the FCA. Additionally, Georgia has enacted its own laws to prevent healthcare fraud, waste or abuse. As a result, government healthcare recovery actions and the amounts recovered in those actions continue to rise.

For almost any business other than one in healthcare, it is acceptable (and often a good idea) to reward those who send you business with financial incentives. Doing so in other industries and paying for “productivity” is usually considered smart business. However, in the healthcare industry, improper referral relationships can have dire legal and financial consequences. As the OIG has warned, “in the federal health care programs, paying for referrals is a crime.” Therefore, if you are a healthcare provider, or owner or operator of a business in the healthcare industry, you are well-advised to set aside what may be your normal business instincts when it comes to referral relationships. And contact a healthcare lawyer if you have any question before compensating, or agreeing to compensate, for any referral, or entering into any financial relationship.

We are a healthcare and business law firm focused on helping healthcare providers, professionals and businesses succeed within the bounds of the law. We advise and represent physicians, medical groups, equipment suppliers, healthcare professionals, consultants and other businesses in the healthcare industry in Alpharetta, Atlanta, Cumming, Duluth, Johns Creek, Milton, Norcross, Roswell, Suwanee and across Georgia. If you have a question concerning federal or Georgia patient referral or healthcare fraud prevention laws, or other healthcare regulatory issues, please do not hesitate to contact us.

© 2018 - 2024 Law Office of Kevin P. O'Mahony. All rights reserved.
This law firm website is managed by Proven Law Marketing.

Site Map | Disclaimer