Healthcare is a business and fortunately most involved in the business of healthcare are ethical and moral people. To be sure, there are some who commit fraud and steal from the system. Many are caught and suffer civil and criminal penalties for their deliberate actions, and many more get away with fraud longer than they should.
Corporate business people are also mostly moral people. Unfortunately, the media attention to corporate fraud has lead to the proliferation of Qui Tam law suits and regulations such as Sarbanes Oxley. These worlds overlapped this year when Disaster Preparedness guidelines, corporate financial forecasts, the signatory obligations imposed by the National Response Plan (NRP) and the mandates of the National Incident Management System (NIMS) collided.
Last year a High Alert, LLC white paper had raised the specter of NRP/NIMS compliance being linked to CMS (Medicare, Medicaid and Tricare) billing, the discussion had been strictly theoretical. Several federally funded training programs have now brought to the table a new and ominous implication of the NIMS Integration Center Implementation Plan for Hospitals and Healthcare. Additionally, hospitals have reported being informed that disaster preparedness will be linked to CMS reimbursement (Medicare, Medicaid and Tricare payments).
A recent National Incident Management System (NIMS) update alert from the NIMS Implementation Center, included obscure reference to a frequently asked question (FAQ) document on the FEMA website. This document, posted on April 20, 2007, like many documents before it was deeply buried within the FEMA website, accessible only to those who knew where to find it.
The last two questions on this FAQ document dealt with a raging debate regarding the repercussions of failing to be NIMS compliant before the looming September 30, 2007 deadline.
The first answered the question of whether the Joint Commission required NIMS compliance for accreditation. The answers stated “Not at this time.”
The second question similarly was a response to inquiries regarding whether CMS required NIMS compliance for Medicare and Medicaid benefits and reimbursements. Again the answer was “Not at this time.”
The April 20th update was posted almost exactly three weeks to the day after High Alert, LLC. privately circulated a pre-released draft of its white paper on the association of NIMS, NRP, the NIMS Implementation Plan for Hospitals and Healthcare, the Federal False Claims Act (Qui Tam) and the Sarbanes-Oxley Act. In that much circulated document, High Alert referenced several early positions by the Justice Department and the NIMS Implementation Center that placed hospitals and other healthcare facilities at risk of Medicare fraud and the repercussions of that fraud under both Federal False Claims Act and Sarbanes-Oxley.
Subsequent to the passage of the September 30th deadline, President Bush issued Homeland Security Presidential Directive 21 (HSPD-21) in which the President called for the recognition and advancement of Disaster Healthcare by the Department of Defense, the Public Health Service and private hospitals and healthcare institutions. Homeland Security Presidential Directives, like all Presidential Directives and Executive Orders have the full effect and force of law. Thus when the President instructed the Secretary of Health and Human Services (HHS) is to use economic incentives through the Center for Medicare Services (CMS) to induce private hospitals and healthcare to fully participate and comply with disaster preparedness and disaster healthcare efforts, the President placed the full force of law behind healthcare disaster preparedness and disaster medicine.
This is the first step in a progression that, if followed by CMS, Department of Health and Human Services (DHHS), Department of Homeland Security (DHS) and Department of Justice (DoJ), will put the full weight and power of the federal government behind an unfunded mandate for hospital preparedness. An appreciation how CMS and DoJ have handled dealt with healthcare providers who have run afoul of these agencies in the past 18 months may portend the future.
In early 2006, DoJ instituted a change in how it dealt with Medicare, Medicaid and Tricare fraud. In prior years, these issues were typically dealt with as civil issues with civil penalties and restitution. Most offenders plead “guilty” or “no contest” to the charges, paid a fine and went home. Beginning in early 2006, DoJ began using the “guilty” plea from the civil cases as evidence to prosecute these individuals criminally. The type of insurance fraud spanned the gambit from billing for nonexistent patients to billing more than the documentation would support. It is this latter prosecution that is the cause of concern.
NRP and NIMS regulations are promulgated upon all signatories to NRP/NIMS, including DHHS. As signatories, all government agencies agree to promulgate the requirements of NRP/NIMS upon all their agencies/departments. Since DHHS is a signatory, this would include CMS (Medicare, Medicaid, Tricare). Since a all healthcare providers who bill CMS directly or indirectly are regulated by CMS and have independent contractor status with CMS, the requirements and regulations promulgated upon CMS by NRP/NIMS through DHHS are passed down to those contractors. This is affirmed by every healthcare provider every time they bill CMS on a UB92, CMS1500 or electronic equivalent because these forms include the attestation that the healthcare provider is in compliance with all regulations and requirements of CMS and the program billed.
It is this last fact that opens the door for DoJ to involve itself in hospital preparedness. Through their actions in 2006, DoJ has shown the willingness to criminally prosecute healthcare providers for overt insurance fraud. Signing the CMS attestation when not in compliance with NRP/NIMS is the same as signing the attestation that chart documentation is in compliance with CMS documentation standards. In short, the failure to be all hazards prepared may have just been raised to the level of a federal felony, enter Qui Tam.
Qui Tam is a provision of the False Claims Act, which allows for a whistleblower to bring a lawsuit on behalf of the United States, where the whistleblower has information that a Medicare/Medicaid provider has knowingly submitted or caused the submission of false or fraudulent claims. The False Claims Act provides incentive to whistleblowers by granting them between 15% and 30% of any award or settlement amount. In addition, the statute provides an award of the whistleblower’s attorney’s fees.
Once a whistleblower brings suit on behalf of the government, the United States Attorney for the district has the option to take over the case. If the US Attorney does so, the government will usually notify the Medicare/Medicaid provider being sued that a claim has been filed. Qui Tam actions are filed under seal, which has to be partially lifted by the court to allow this type of disclosure. The seal prohibits the defendant from disclosing even the mere existence of the case to anyone, including its shareholders. The government may then, without disclosing the identity of the whistleblower or any of the facts, begin taking discovery from the defendant.
Claims that are falsely presented to the Government for payment are actionable under the False Claims Act. The False Claims Act covers a Medicare/Medicaid provider who:
- Knowingly presented or caused to be presented a false or fraudulent claim for payment or approval to an officer or employee of the government;
- Knowingly made, used, or caused to be made or used, a false record or statement to get a false or fraudulent claim paid by the government;
- Conspired to defraud the government by getting a false or fraudulent claim allowed or paid;
- Knowingly made, used or caused to be made or used, a false record or statement to conceal, avoid, or decrease an obligation to pay or transmit money or property to the government, (“reverse false claim”).
A hospital or healthcare facility which fails to fully implement an NRP/NIMS Compliant “All Hazards” Disaster Preparedness program and continues to submit Medicare/Medicaid claims including the attestation that the provider is in compliance with all regulations and requirements of CMS and the program billed presents or causes to be presented a false claim. A claim is “knowingly” made if:
- There is actual knowledge of a false claim
- Deliberate indifference to the truth or falsity of a claim
- Reckless disregard of the truth or falsity of a claim
The implications for the corporate officers of a hospital go beyond just CMS fraud, civil penalties and imprisonment. Hospitals are now largely operated by public entities and thus file financial forecasts and financial statements. These forecasts are based on projected CMS reimbursements. If a facility is not NRP/NIMS compliant and “All Hazards” disaster prepared, the corporate officers are not only in danger of CMS fraud, but of projecting CMS reimbursements they know are not collectable. Further, the seal on a Qui Tam claim prohibits the defendant from disclosing even the mere existence of the case to anyone, including its shareholders a fact which is in conflict with the provider’s obligation under Security and Exchange Commission regulations that require disclosure of lawsuits that could materially affect stock prices, enter Sarbanes-Oxley.
The Sarbanes-Oxley Act came into force in July 2002 and introduced major changes to the regulation of corporate governance and financial practice. It is named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects, and it set a number of non-negotiable deadlines for compliance. Periodic statutory financial reports are to include certifications that:
- The signing officers have reviewed the report
- The report does not contain any material untrue statements or material omission or be considered misleading
- The financial statements and related information fairly present the financial condition and the results in all material respects
- The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
- A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
- Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
Sarbanes-Oxley establishes an independent commission which is required to study and report on the extent of off-balance transactions. The commission is also required to determine whether generally accepted accounting principals or other regulations result in open and meaningful reporting.
Financial statements published by regulated companies are required to be accurate and presented in a manner that does not contain incorrect statements. These financial statements must include all material off-balance sheet liabilities, obligations or transactions. Regulated companies are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement must assess the effectiveness of such internal controls and procedures. A registered accounting firm must, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting. Regulated companies are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. These disclosures are to be presented in terms that are easy to understand supported by trend and qualitative information of graphic presentations as appropriate.
Sarbanes-Oxley imposes penalties of fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation. The legislation also imposes penalties of fines and/or imprisonment up to 10 years on any accountant who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years. Organizations may not attempt to avoid these requirements by reincorporating their activities or transferring their activities outside of the United States.
Disaster preparedness is no longer just an accreditation issue. “All Hazards” disaster planning is no longer just a requirement of qualifying for federal grants. Education is no longer a last priority. Disaster planning, preparation and education are the newest legal shield for the healthcare corporate officer.
The Unprepared Beware.