Tag: U.S. Department of Health and Human Services

OIG Releases Special Fraud Alert About Suspect Payments in Marketing Arrangements Related to Medicare Advantage and Providers

On December 11, 2024, the Office of Inspector General for the U.S. Department of Health and Human Services (“OIG”) issued a special fraud alert warning about certain marketing schemes that involve questionable payments and referrals between Medicare Advantage (“MA”) health plans, health care professionals, and third-party marketers (e.g., agents and brokers) and that can mislead MA enrollees into choosing specific health plans or providers that may not be in the MA enrollees’ best interests or meet their needs (“MA Marketing Alert”). As we have previously advised, special fraud alerts are few and far between—OIG has only issued six in the past 20 years. The importance of the MA Marketing Alert, like its predecessors, should not be taken for granted because it may be instructive as to subsequent enforcement action taken by OIG and/or the U.S. Department of Justice (“DOJ”).

In the MA space, historical enforcement actions taken by both OIG, under their administrative authorities, and DOJ, under the False Claims Act (“FCA”), have related to alleged MA risk adjustment payment inflation schemes. See, e.g., DaVitaSutter HealthBeaver MedicalMartin’s Point, and Cigna. While allegations of this nature continue to be a focus area (e.g., in OIG’s work plans), a light is also now being shone on inappropriate marketing schemes that could violate the Federal anti-kickback statute (“AKS”). And, based on historical empirical data connecting DOJ’s enforcement actions taken subsequent to OIG’s issuance of special fraud alerts, that light may broaden and brighten.

For example, in July 2022, OIG issued a special fraud alert about arrangements involving telemedicine companies. In a footnote, OIG provided three enforcement actions resolved under the FCA as examples of allegedly problematic arrangements. After providing the footnote examples, OIG described bullet-pointed “Suspect Characteristics” that tracked the allegedly inappropriate characteristics of the footnote examples. Since the alert’s issuance, DOJ has recovered millions under the FCA and also criminally charged and convicted many individuals and entities for allegedly submitting or causing the submission of more than $3.1 billion (in 2023 and 2024 pursuant to DOJ’s nationwide takedowns) in allegedly fraudulent Medicare claims resulting from telemedicine schemes.

While the MA Marketing Alert provides footnotes of only two enforcement actions resolved under the FCA as examples of allegedly problematic arrangements, the bullet point list of “Suspect Characteristics” is broader than and reaches beyond the footnote examples. This may signal OIG’s awareness of and current investigations into allegedly inappropriate arrangements relating to “Suspect Characteristics” that have yet to be settled or resolved.

It is possible that there may be forthcoming enforcement actions in these areas. And they may follow the same trend of enforcement actions taken by DOJ relating to telemedicine schemes after OIG’s July 2022 special fraud alert. We also note that the MA Marketing Alert aligns with the Centers for Medicare & Medicaid Services’ recently finalized regulatory updates relating to MA health plan marketing arrangements with agents, brokers, and Third-Party Marketing Organizations, which will be effective January 1, 2025, and prohibit such parties from creating direct or indirect incentives “that would reasonably be expected to inhibit an agent or broker’s ability to objectively assess and recommend which plan best fits the health care needs of a beneficiary.” Proskauer’s Health Care Group will continue to monitor these developments in and provide updates about these areas of scrutiny and enforcement.

© 2024 Proskauer Rose LLP.
For more mon Fraud, visit the NLR Criminal Law Business Crimes section

OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

On August 23, 2022, the U.S. Department of Health & Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the disposal of physical protected health information (“PHI”).

OCR alleged that, on March 31, 2021, a specimen containing PHI was found by a third-party security guard in the parking lot of the New England Dermatology and Laser Center (“NEDLC”). The PHI included patient name, patient date of birth, date of sample collection, and the name of the provider who took the specimen, in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

As part of the settlement, NEDLC agreed to pay HHS $300,640. According to NEDLC’s Resolution Agreement and the Corrective Action Plan, there were two potential violations by NEDLC. First, NEDLC allegedly failed to maintain appropriate safeguards to protect the privacy of PHI,” as required by 45 C.F.R. § 164.530(c). Second, NEDLC allegedly permitted the impermissible disclosure of PHI, in violation of Rule 45 C.F.R. § 164.502(a). The Corrective Action Plan requires NEDLC to develop, maintain and appropriately revise written policies and procedures in accordance with HIPAA.

Several highlights of the settlement include:

  1. Changes to Policies and Procedures. NEDLC must develop, maintain and revise, as necessary, its written HIPAA policies and procedures, and provide such policies and procedures to HHS for review and approval. NEDLC also must assess, update and revise, as necessary, such policies and procedures at least annually, or as needed, and seek HHS’s approval of the revised policies and procedures.
  2. Designation of Privacy Official. NEDLC must designate a privacy official who is responsible for the development and implementation of NEDLC’s HIPAA policies and procedures, and a contact person or office who is responsible for receiving relevant complaints.
  3. Training Requirements. NEDLC must provide HHS with training materials for its workforce members and seek HHS’s approval of such training materials. NEDLC must also distribute the HIPAA policies and procedures to its workforce members and relevant business associates, and obtain a written compliance certification from all such individuals. NEDLC must provide HIPAA training for new workforce members, and all workforce members at least every 12 months. Each workforce member must certify, in electronic or written form, that they received training. NEDLC must review the training at least annually, and update the training where appropriate. NEDLC must promptly investigate, review, report to HHS, and sanction any workforce member that does not comply with its HIPAA policies and procedures.
  4. Implementation Report and Annual Report.  NEDLC is required to submit to HHS a written report summarizing the status of its implementation of the requirements provided set forth in the settlement, and annual compliance reports.

For more Health Care legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.