Stark, Anti-Kickback, Civil Monetary Penalty & False Claims Act Issues
Financial relationships in healthcare raise a number of potential issues under a variety of federal and state fraud and abuse laws that don’t typically arise in other industries. The Department of Health & Human Services (“HHS”) Office of the Inspector General (“OIG”) has identified the five most important federal fraud and abuse laws that apply to physicians and health industry participants who have relationships with them. Those laws include: the Physician Self-Referral Law (“Stark Law”), the Anti-Kickback Statute (“AKS”), the False Claims Act (“FCA”), the Civil Monetary Penalties Law (“CMPL”), and the Exclusion Authorities (federal statutes under which healthcare providers may be excluded from federal healthcare programs).
Like some other states, Georgia has also enacted its own Patient Self-Referral Act (the “Georgia Stark Law”) and two separate False Claims Acts (the “State False Medicaid Claims Act” and the “Georgia Taxpayer Protection False Claims Act”). So healthcare providers and businesses in Georgia are now regulated on both the state and federal levels by numerous laws designed to prevent and punish fraud or abuse. And some of these laws may be used to help prove fraud or abuse not only when a government agency or program is involved, but also in situations in which private insurers or patients themselves pay for healthcare services.
In recent years, federal and Georgia healthcare regulators (as well as private insurers) have obtained record recoveries from civil cases alleging fraud, abuse and false claims. And most recently, the broadened statutory bases of FCA recovery established by the Patient Protection and Affordable Care Act (“ACA”) have resulted in even greater proliferation of healthcare fraud recovery actions. Moreover, under the qui tam provisions of the FCA, private individuals may file enforcement actions on behalf of the government if they learn of fraudulently submitted claims that are otherwise undetected. Known as “relators” or “whistleblowers,” these individuals may receive up to 30 percent of any successful recovery, which has led to even more lawsuits and liability.
Consequently, these healthcare fraud prevention and enforcement laws should get the careful attention – if not strike fear in the heart – of any owner or operator of a business providing healthcare services in Georgia. A brief overview of the federal laws involved follows.
The Stark Law
The Stark Law (named for Congressman Pete Stark who sponsored the initial bill) refers to prohibition of the practice of physician self-referral under circumstances where a patient is referred to a medical facility in which the referring physician or an immediate family member has a pecuniary interest. Financial relationships that may violate Stark include both ownership/investment interests and compensation arrangements, which may be direct or indirect. Violations are subject to a strict liability standard (intent to defraud need not be proved), and enforcement extends to almost any type of remuneration within the Medicare system for patient referrals, unless a specific exception applies.
Like the AKS and FCA (summarized below), penalties under Stark can be devastating. They include recovery of payments made in violation, imposition of a $23,863 per service civil monetary penalty for violations, and a monetary fine of $100,000 for each arrangement found to have willfully circumvented the statutory scheme. Because many services or claims may be billed before a potential problem is detected or an issue is raised, potential liability can easily become astronomical.
The Anti-Kickback Statute
Similar to Stark but broader, the AKS prohibits anyone from offering, paying, soliciting or receiving remuneration (monetary or otherwise) to induce or reward referrals or generate business for anyone participating in any federal healthcare program (e.g., drugs, supplies or healthcare services for Medicare or Medicaid patients). Remuneration includes anything of value and can take many forms besides cash, such as free or below-market rent, hotel stays, meals and excessive compensation for medical directorships or consultancies.
Although neither knowledge of the AKS nor intent to commit a violation is required, the proof requirement under the AKS, unlike Stark, is knowing and willful misconduct. As a result, those found in violation of the AKS also face criminal penalties in the form of a prison term for each violation. Moreover, recent amendments to the AKS now establish that a violation of the AKS constitutes a false or fraudulent claim under the FCA, even if the service was medically necessary and properly provided.
Civil monetary penalties of up to three times each kickback and $50,000 per violation may be awarded under the AKS. Criminal penalties and administrative sanctions for violating the AKS include fines, jail terms and exclusion from participation in the federal healthcare programs.
“Safe harbor” rules protect certain payment and business practices that could otherwise implicate the AKS from civil and criminal prosecution. Some safe harbors address personal services and rental agreements, investments in ambulatory surgical centers, and payments to bona fide employees. But to be protected by a safe harbor, an arrangement must fit squarely in the safe harbor and satisfy all of its requirements.
The False Claims Act
The FCA permits recovery of funds from anyone who knowingly presents or causes to be presented a fraudulent claim for payment to the government. Examples of conduct that may violate the FCA include:
- Charging or submitting claims for services that were not rendered or performed
- Charging or submitting claims for services that were not medically necessary
- Charging or submitting claims for services for which patients do not meet the medical criteria to receive those services
- Double billing (charging more than once for the same service)
- Changing patient diagnosis for billing purposes
- Upcoding patient visits
- Unbundling billing codes (e.g., billing parts of a single, whole procedure separately instead of under a comprehensive code)
- Bundling (e.g., billing for a battery of tests when only a single test was ordered)
- Forging physician signatures on required medical documentation
- Billing for brand name drugs when only generic were provided
- Billing for premium equipment but providing inferior equipment
- Off -label marketing of pharmaceuticals
- Failing to report and return an overpayment by the government for the sale of a good or service (violating the 60-day rule)
- False certifications of compliance with applicable federal and state laws
- Paying kickbacks to physicians or other medical providers to refer patients for services in violation of the Stark or Anti-Kickback laws
To establish FCA liability, it must be proven that a defendant knowingly submitted or caused to be submitted a false claim for reimbursement of services. The claim need not be entirely fraudulent in order to violate the FCA, however. Rather, the FCA prohibits use of any false statement or document in support of a claim for government funds. In addition, liability under the FCA also attaches to anyone who acts improperly to avoid having to pay money to the government (known as “reverse” false claims).
The FCA is also known for its qui tam (whistleblower) provisions, which include a strong anti-retaliation provision. With the proliferation of FCA qui tam actions, healthcare businesses of all types and sizes must not only attempt to avoid whistleblower claims by taking proactive measures to ensure compliance within the organization, they must also be careful to take concerns from potential whistleblowers seriously and not act in any way that could be viewed as retaliatory.
Financial recovery under the FCA can be crippling, with penalties of $5,500 to $11,000 per claim plus three times the government’s actual damages. In the context of Medicare billing, the potential exists for a catastrophic judgment based on the number of claims at issue. Individuals may be held responsible if found to have acted willfully, recklessly, or with deliberate ignorance in making or causing the submission of false claims. Those responsible may even face criminal charges. And, as noted above, liability under the FCA is allowable for violations of the Stark Law or AKS. So the potential for imposition of individual liability and/or criminal sanctions allows the government to obtain large settlements when it has credible allegations of FCA violations.
The Civil Monetary Penalties Law
The CMPL authorizes HHS’s Secretary to impose civil monetary penalties, an assessment, and program exclusion for various forms of fraud and abuse involving the Medicare and Medicaid programs. Penalties range from $2,000 to $100,000 for each violation, depending on the specific misconduct involved. Thus, the monetary sanctions imposed generally far exceed the damages actually sustained by the government. The OIG must only prove liability by a “preponderance of the evidence” rather than the more demanding “beyond a reasonable doubt” standard required in criminal actions. And a healthcare provider owner or operator can be held liable based on his, her or its own negligence, or the negligence of employees. There is no requirement that intent to defraud be proved.
The Eliminating Kickbacks in Recovery Act
As part of the federal government’s efforts to combat the nationwide opioid crisis, Congress enacted the Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (the “SUPPORT Act”), effective October 2018. Under two sections of the SUPPORT Act, Congress enacted the Eliminating Kickbacks in Recovery Act (“EKRA”), with the intent of prohibiting individuals from referring substance abuse patients in exchange for kickbacks to recovery homes, clinical treatment facilities and laboratories.
EKRA prohibits knowingly and willfully soliciting, receiving, offering or paying remuneration, directly or indirectly, in return for referring a patient to, or in exchange for an individual using the services of, a recovery home, clinical treatment facility, or laboratory with respect to services covered by a health care benefit program. The term “health care benefit program” includes “any public or private plan or contract affecting commerce, under which any medical benefit, item or service is provided to any individual, and includes any individual or entity who is providing a medical benefit, item or service for which payment may be made under the plan or contract.”
EKRA defines “recovery home” as “a shared living environment that is, or purports to be, free from alcohol and illicit drug use and centered on peer support and connection to services that promote sustained recovery from substance use disorders.” “Clinical treatment facility” is defined as “a medical setting, other than a hospital, that provides detoxification, risk reduction, outpatient treatment and care, residential treatment, or rehabilitation for substance use, pursuant to licensure or certification under state law.” “Laboratory” is defined to include all clinical laboratories, and thus all referrals for clinical laboratory tests implicate EKRA, regardless of whether the tests relate to substance abuse testing or treatment.
Importantly, EKRA does not define the term “referral.” Because EKRA’s prohibition against kickbacks is limited to remuneration paid in exchange for referrals or an individual’s use of services, an authoritative interpretation of the term “referral” under EKRA is necessary to determine the scope of the law. But while we await further clarification, EKRA established a new public and private payor intent-based criminal anti-kickback law that prohibits any form of remuneration in exchange for referrals to, or an individual’s use of, all entities that meet the definitions of recovery homes, clinical treatment facilities or laboratories, including referrals to laboratories unrelated to substance abuse testing or treatment.
EKRA includes eight exceptions to its broad prohibition on the payment of remuneration. Specifically, EKRA provides exceptions for the following types of arrangements, provided that they meet certain specified requirements: (1) discounts obtained by service providers; (2) payments made to employees and independent contractors that meet certain structural requirements; (3) drug manufacturer discounts provided under the Medicare coverage gap discount program; (4) arrangements that meet the personal services and management contracts safe harbor under the AKS; (5) waivers or discounts of coinsurance or copayments; (6) remuneration between healthcare entities and an individual or entity pursuant to an agreement that contributes to the availability (or enhances the quality) of services provided to medically underserved populations; (7) remuneration made pursuant to an alternative payment model or other model determined by the HHS Secretary to be necessary for care coordination or value-based care; and (8) any other regulatory safe harbor promulgated by the Attorney General in consultation with HHS’s Secretary that clarifies the exceptions described in (1) – (7) above.
While some of EKRA’s exceptions appear similar to certain exceptions and safe harbors available under the AKS, EKRA’s exceptions are inconsistent with the corresponding AKS exceptions and/or safe harbors. And because pre-existing federal laws, such as the AKS and Stark Law, govern the same arrangements implicated by EKRA, inconsistencies between EKRA and the AKS or Stark may lead to significant difficulties for healthcare providers and other entities and individuals that now must comply with EKRA in addition to pre-existing laws. For example, one important difference between EKRA’s exceptions and the AKS’s safe harbors is the absence of the AKS’s employment safe harbor under EKRA. This means that previously compliant payment methodologies structured under the AKS’s employment safe harbor (such as paying W-2 employees volume or value-based commissions) are now at risk of violating EKRA. Moreover, state laws applicable to kickbacks, fee-splitting and self-referral may also be inconsistent with EKRA. In that regard, EKRA includes a confusingly written preemption section that specifies that (1) EKRA does not apply to conduct that is prohibited under the AKS, and (2) EKRA shall not “be construed to occupy the field in which any provisions of this section operate to the exclusion of State laws on the same subject matter.”
Similar to certain other federal laws in this area, EKRA is a criminal statute that includes a “knowing and willful” intent requirement. Violators of EKRA will be subjected to a fine of up to $200,000 or imprisonment of 10 years, or both, for each occurrence. Additionally, a violation of EKRA could have other collateral consequences, such as licensure sanctions, revocation, and exclusion from governmental healthcare programs.
EKRA is broadly drafted in a manner that requires those involved in healthcare arrangements that otherwise comply with federal and state fraud and abuse laws to reassess their compliance. Given the various areas of uncertainty created by EKRA, healthcare providers and other entities and individuals in the healthcare industry should consider taking a conservative approach when evaluating all relationships with recovery homes, clinical treatment facilities and laboratories that are governed by EKRA. Until Congress refines EKRA, or the Attorney General promulgates regulations, or there is other guidance (such as case law) interpreting EKRA, many existing relationships in the healthcare industry need to be revised in order to comply with EKRA and avoid risking criminal liability.
New Rule Expanding Anti-Fraud Measures
In September 2019, the Centers for Medicare & Medicaid Services (“CMS”) issued a final rule (84 Fed. Reg. 47794) that includes several anti-fraud measures and significantly expands the agency’s authority to exclude new and current providers and suppliers that are identified as posing an undue risk of fraud, waste or abuse. Importantly, the new measures require providers and suppliers to disclose upon CMS request and upon application for initial enrollment or revalidation, any “affiliations” with parties who have one or more defined “disclosable events.” The final rule became effective on Nov. 4, 2019.
Disclosure of Affiliations With Individuals or Entities That Have a Disclosable Event
The new disclosure measure requires all providers to disclose any current or prior affiliations (within the past five years) the provider or any of its owning or managing employees or organizations has or had with a current or former Medicare provider with a “disclosable event.”
A “disclosable event” is broadly defined to include:
- An uncollected debt to CMS;
- Current or previous payment suspension from a federal health care program;
- Current or previous exclusion from a federal health care program; or
- Previous denial, revocation, or termination of Medicare, Medicaid, or CHIP billing privileges.
“Affiliation” is also broadly defined to include:
- A 5% or greater direct or indirect ownership in another organization;
- A general or limited partnership interest in another organization;
- An interest in which the entity or individual “exercises operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization”;
- An interest in which the individual acts as “an officer or director of a corporation”; or
- Any reassignment relationship under 42 C.F.R. § 424.80 (the “prohibition of reassignment of claims by suppliers” rule).
If there is a triggering affiliation, the provider must disclose certain information about its affiliate, such as the legal and d/b/a names, tax identification number, National Provider Identifier (“NPI”), reason for disclosure, length of the relationship, type of relationship, degree of affiliation, and (if applicable) reason for termination.
The risk in having a triggering affiliation is that CMS can deny or revoke enrollment if it determines the affiliation “poses an undue risk of fraud, waste, or abuse.” This power extends to reported and unreported affiliations. CMS can also deny enrollment or revoke an existing enrollment if it requests information about the affiliation and the provider fails to “fully and completely disclose” the required information when it “knew or should have known of th[e] information.”
Unsurprisingly, the breadth of this rule generated a significant number of comments. But a common theme of these comments was a concern over CMS’s wide discretion to determine that an affiliation will result in an undue risk of fraud, waste or abuse. CMS tried to address this concern with a mere promise that actions against a provider will only be taken “after careful consideration of the facts and circumstances.”
Other Anti-Fraud Measures
In addition to establishing the new disclosure requirement, the rule gives CMS more authority and discretion to revoke or deny Medicare enrollment. For example, CMS will now be able to revoke or deny Medicare enrollment if:
- The agency determines that a previously excluded provider or supplier is attempting to reenter the program under a different identifier (name, numeral identifier, business identity);
- A provider or supplier bills for services or items that it knew or should have reasonably known are from non-compliant locations;
- A physician or eligible professional exhibits a pattern or practice of abusive ordering or certifying of Medicare Part A or Part B items, services, or drugs; or
- A provider or supplier has an outstanding debt to CMS from an overpayment that was referred to the Treasury Department.
Other important changes include CMS’s new authority to prohibit a provider from enrolling in Medicare for up to three years if the basis for its initial enrollment denial was the submission of false or misleading information in its application, and an extension of the reenrollment bar against previously excluded providers from three to up to 10 years. Furthermore, providers or suppliers that are revoked from Medicare for a second time may be prohibited from applying to re-enroll in the program for up to 20 years.
We currently are advising clients regarding compliance with this new rule. Please let us know if you have concerns about your risk under this new rule or are interested in preparing or revising policies to comply with the new final rule.
New Stark & AKS Rules Proposed by CMS & OIG
In October 2019, CMS and OIG published proposed rules in conjunction with HHS’s “Regulatory Sprint to Coordinated Care.” The Regulatory Sprint to Coordinated Care “aims to remove potential regulatory barriers to care coordination and value-based care created by four key Federal health care laws and associated regulations: (1) the physician self-referral law [(“Stark Law”)]; (2) the anti-kickback statute [(“AKS”)]; (3) the Health Insurance Portability and Accountability Act of 1996 [(“HIPAA”)]; and (4) the rules… related to opioid and substance use disorder treatment.”
The “CMS Proposed Rule” proposes changes to the Stark Law regulations. The CMS Proposed Rule aims “to alleviate the undue impact of the physician self-referral statute and regulations on parties that participate in alternative payment models and other novel financial arrangements and to facilitate care coordination among such parties” with new exceptions for value-based compensation arrangements between or among physicians, providers, and suppliers that “satisfy specified requirements based on the characteristics of the arrangement and the level of financial risk undertaken by the parties to the arrangement or the value-based enterprise of which they are participants.”
The CMS Proposed Rule also contains more general proposals that “seek to balance genuine program integrity concerns against the considerable burden of the physician self-referral law’s billing and claims submission prohibitions by reassessing the appropriate scope of the statute’s reach.” For instance, CMS proposes to revise the definition of “fair market value” to “eliminate the connection to the volume or value standard” and add a definition of “commercially reasonable” to mean “that the particular arrangement furthers a legitimate business purpose of the parties and is on similar terms and conditions as like arrangements.” In connection with the latter proposal, CMS proposes that “[a]n arrangement may be commercially reasonable even if it does not result in profit for one or more of the parties.”
In addition, the CMS Proposed Rule would create new exceptions for “nonabusive business practices,” including arrangements under which a physician receives limited remuneration and donations of cybersecurity technology and related services. It would also amend the existing exception for the donation of electronic health record (“EHR”) items and services, including by removing the sunset provision. CMS also specifically requested comments about price transparency in the context of the Stark Law, including whether to require cost-of-care information at the point of referrals.
The “OIG Proposed Rule” proposes regulatory changes impacting the scope of the AKS and the Civil Monetary Penalties Law. The OIG Proposed Rule would add a number of safe harbor protections, including for coordinated care and associated value-based arrangements between or among clinicians, providers, and suppliers. These would include safe harbors for: (1) care coordination arrangements aimed at improving quality and outcomes; (2) value-based arrangements with substantial downside financial risk; and (3) value-based arrangements with full financial risk. The OIG Proposed Rule would also add a safe harbor for beneficiary incentives under the Medicare Shared Savings Program and, like the CMS Proposed Rule, for donations of cybersecurity technology.
In addition to new safe harbors, the OIG Proposed Rule would also amend the existing safe harbors for EHR arrangements, warranties, local transportation, and personal services and management contracts. The OIG’s focus in the rulemaking is on ensuring protected arrangements “promote coordinated patient care and foster improved quality, better health outcomes, and improved efficiency,” and “would not be misused to perpetrate fraud and abuse.”
These proposed changes, if adopted, could signal broad reform in the application and enforcement of federal fraud and abuse laws, with wide-ranging implications for the types of arrangements that may be permissible for healthcare industry participants. Through these proposed rules, HHS seeks to remove key burdens on providers under the Stark Law and AKS, without creating substantial risk of increased fraud and abuse. Both CMS and OIG noted the “close nexus” of the two laws, and aligned requirements between the two laws where they could, but also noted that the AKS often acts as a “backstop” to the Stark Law such that some of OIG’s proposals are stricter.
In general, most providers are likely to welcome these proposed changes, even though many existing provider arrangements may need to be revised or terminated to comply with the amendments. The proposed changes are subject to a public comment period until Dec. 31, 2019, and the final rules are expected in 2020. Please do not hesitate to contact us for more information regarding these proposed rules or for assistance in preparing for their anticipated finalization.
Recent $46 Million FCA Settlement Arising Out of Alleged Stark & AKS Violations Illustrates Risks Healthcare Providers Face
In November 2019, the Department of Justice (“DOJ”) announced a settlement with California-based Sutter Health and Sacramento Cardiovascular Surgeons Medical Group Inc. over alleged violations of the Physician Self-Referral Law and the Anti-Kickback Statute. Sutter and Sacramento Cardio agreed to pay $46 million. The whistleblower suit was brought by a former Sutter Health compliance officer who accused the hospital group of improperly billing Medicare and providing kickbacks to physicians at Sacramento Cardio for referring patients to Sutter.
Here is a portion of the DOJ’s press release, highlighting the very real risks hospitals, physicians and others in the healthcare industry face:
Several hospitals owned and operated by Sutter Health (Sutter), a California-based healthcare services provider, and Sacramento Cardiovascular Surgeons Medical Group Inc. (Sac Cardio), a practice group of three cardiovascular surgeons, have agreed to pay the United States a total of $46,123,516 to resolve allegations arising from claims they submitted to the Medicare program, the Department of Justice announced today.
The Physician Self‑Referral Law, commonly known as the Stark Law, prohibits a hospital from billing Medicare for certain services referred by physicians with whom the hospital has a financial relationship, unless that relationship satisfies one of the law’s statutory or regulatory exceptions. It is intended to ensure that medical decision-making is not influenced by improper financial incentives and is instead based on the best interests of the patient.
As part of the settlements announced today, one of Sutter’s hospitals, Sutter Memorial Center Sacramento (SMCS), has agreed to pay $30.5 million to resolve certain allegations that, from 2012 to 2014, it violated the Stark Law by billing Medicare for services referred by Sac Cardio physicians, to whom it paid amounts under a series of compensation arrangements that exceeded the fair market value of the services provided. Relatedly, Sac Cardio has agreed to pay $506,000 to resolve allegations that it knowingly submitted duplicative bills to Medicare for services performed by physician assistants that it was leasing to SMCS under one of those compensation arrangements.
“Improper financial arrangements between hospitals and physicians can influence the type and amount of health care that is provided,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division. “The Department is committed to taking action to eliminate improper inducements that can impact physician decision-making.”
“This office will continue to take all appropriate action to help ensure that the beneficiaries of federal health care programs receive services untainted by improper financial incentives,” said U.S. Attorney David L. Anderson for the Northern District of California.
“Providers must rigorously comply with the law and Medicare requirements,” said U.S. Attorney McGregor W. Scott for the Eastern District of California. “This office is committed to pursuing enforcement actions that will ensure the integrity of federal health care programs.”
Separately, Sutter has agreed to pay $15,117,516 to resolve other conduct that it self‑disclosed to the United States, principally concerning additional violations of the Stark Law. Specifically, Sutter hospitals submitted Medicare claims that resulted from referrals by physicians to whom those hospitals (1) paid compensation under personal services arrangements that exceeded the fair market value of the services provided; (2) leased office space at below-market rates; and (3) reimbursed physician-recruitment expenses that exceeded the actual recruitment expenses at issue. Additionally, several Sutter ambulatory surgical centers double-billed the Medicare program by submitting claims that included radiological services for which Medicare separately paid another entity that had performed those services.
Certain allegations relating to SMCS and Sac Cardio were originally brought by Laurie Hanvey in a lawsuit filed under the whistleblower provisions of the False Claims Act, which allow private parties to bring suit on behalf of the federal government and to share in any recovery. The whistleblower will receive $5,891,140 as her share of the federal government’s recovery in this case. The case is captioned United States ex rel. Hanvey v. Sutter Health et al., Civil Action No. 14-4100 (N.D. Cal.).
With recent enactment of the ACA and EKRA, the government’s healthcare fraud prevention and enforcement actions via Stark, the AKS and FCA have been strengthened and expanded further. And because violations of Stark and the AKS are now statutorily grafted into the FCA, individuals or entities found in violation of any of those three laws automatically face the severe civil penalties established by the FCA. As a result, government healthcare recovery actions and the amounts recovered in those actions continue to rise.
For almost any business other than one in healthcare, it is acceptable (and often a good idea) to reward those who send you business with financial incentives. Doing so in other industries and paying for “productivity” is usually considered smart business. However, in the healthcare industry, improper referral relationships can have dire legal and financial consequences. As the OIG has warned, “in the federal health care programs, paying for referrals is a crime.” Therefore, if you are a healthcare provider, or owner or operator of a business in the healthcare industry, you are well-advised to set aside what may be your normal business instincts when it comes to referral relationships. And contact a healthcare lawyer if you have any question before compensating, or agreeing to compensate, for any referral.
We are a healthcare and business law firm focused on helping healthcare providers, professionals and businesses succeed within the bounds of the law. We advise and represent physicians, medical groups, equipment suppliers, healthcare professionals, consultants and other businesses in the healthcare industry in Alpharetta, Atlanta, Cumming, Duluth, Johns Creek and across Georgia. If you have a question concerning federal or Georgia patient referral or healthcare fraud prevention laws, or other healthcare regulatory issues, please do not hesitate to contact us.