James I. Glasser

Summary of Wiggin and Dana's Third Annual Health Care Compliance and Enforcement Roundtable

November 10, 2010 Advisory

On September 14, 2010, Wiggin and Dana, LLP held its third annual Health Care Compliance and Enforcement Roundtable where federal and state enforcement officials discussed enforcement priorities with members of the health care community.

Roundtable Panelists:

  • Arnold Menchel, Assistant Connecticut Attorney General, Connecticut Office of the Attorney General, Director of the Health Care Fraud and Whistleblower Unit;
  • Richard Molot, Civil Health Care AUSA United States Attorney's Office, District of Connecticut;
  • David Sheldon, Criminal Health Care AUSA United States Attorney's Office, District of Connecticut; and
  • Maureen Weaver, Esq., Partner and Chair of the Health Care Department, Wiggin and Dana, LLP.


  • John Hughes, Chief of the Civil Division, United States Attorney's Office and
  • James Glasser, Wiggin and Dana Partner, Co-Chair of the White-Collar Defense, Investigations and Corporate Compliance practice group, and former Chief of the Criminal Division of the United States Attorney's Office for the District of Connecticut.

The panel discussion keyed off of a hypothetical scenario that included potential health care compliance issues on a variety of topics, including the False Claims Act, the Patient Protection and Affordable Care Act, HIPAA, and others. The following summary highlights the compliance issues and government priorities discussed:

1. Modifier 25
According to AUSA Rick Molot, many providers are submitting improper bills to Medicare for evaluation and management (E/M) services using modifier 25. AUSA Molot stated that the government has been actively auditing providers' use of modifier 25 and has collected overpayments due to provider misuse.

Modifier 25 allows providers to bill Medicare for E/M services and for a separately reimbursable procedure on the same day. Generally, Medicare does not allow E/M services to be billed on the same day as a separate procedure since Medicare's fees for procedures already include an E/M component, including pre and post-operative care. However, if the E/M service is "significant, separately identifiable, and above and beyond the usual preoperative and postoperative care associated with the procedure," then the provider may attach modifier 25 to the E/M service claim to receive payment for both the procedure and the E/M service. CMS Internet Only Manual, Pub. 100-4, Medicare Claims Processing Manual, Chapter 12, Section 40.2.

AUSA Molot explained that audits and investigations have demonstrated that providers abuse the modifier by adding it when E/M services were not provided separately and were only provided as a regular part of the procedure. These providers collect double payment for the E/M service: once as part of the payment for the procedure and once as the separate E/M service. AUSA Molot provided as an illustrative example the physical evaluations that a physician routinely performs before and after a stress test. These evaluations cannot be billed to Medicare as E/M services using modifier 25 since they are part of the stress test, which is a separately reimbursable procedure. They are not "significant, separately identifiable, and above and beyond the usual preoperative and postoperative care associated with the procedure." However if, on the same day as the stress test, the patient also complained of a sprained ankle and the physician performed an E/M service in regard to the ankle injury, then the provider may legitimately use modifier 25 since evaluation and management of the ankle injury was entirely separate from the stress test.

AUSA Molot stated that the government uses data mining to identify providers that use modifier 25 disproportionately and that his office may investigate these providers. Assistant Connecticut Attorney General Arnold Menchel added that state enforcement officials are also examining the improper use of modifier 25 in the Medicaid program.

Providers should ensure that they are properly using the modifier and examine past usage of the modifier to determine if any overpayments were made that must be returned.

2. Safeguard Services, LLC
The panelists at the Health Care Compliance and Enforcement Roundtable discussed the role of Safeguard Services, LLC (Safeguard) in health care enforcement. Safeguard is the Program Safeguard Contractor (PSC) for Connecticut; it is an independent contractor hired by CMS to detect fraud and abuse.

As a PSC, Safeguard has access to Medicare Part A and B data and uses data mining equipment and software technologies to proactively detect aberrant billing practices and to investigate possible improper payments. At the conclusion of its investigation and if appropriate, Safeguard may pursue administrative actions, such as overpayment recoupment, or may refer the case to law enforcement authorities, such as the United States Attorney's Office. PSCs generally focus on matters and areas that pose the greatest risks for fraud or abuse; receiving a request for documents or for an interview from a PSC generally indicates more than a routine audit, and providers should take any such request very seriously.

AUSA David Sheldon explained that Safeguard investigates allegations of fraud and abuse on its own and that Safeguard is not a "stalking horse" for the United States Attorney's Office. Nevertheless, according to AUSA Molot, pursuant to contract, providers must comply with Safeguard's requests for documents or interviews. However, he added that in his experience, Safeguard has allowed providers to consult with attorneys prior to producing documents or submitting to interviews and has demonstrated a willingness to negotiate reasonable production dates and schedules for interviews.

Both AUSAs Sheldon and Molot emphasized the importance of provider cooperation and candor when communicating with Safeguard and other contractors, since making false statements to government contractors is itself a separate federal offense. More importantly, both emphasized that when a false statement is uncovered, whether to Safeguard or to the government directly, it frequently changes the way regulators view a matter. Rather than an investigation focusing on a narrow issue or a discrete matter, the discovery of a false statement will cause the government to broaden its investigation and question each representation that is made. AUSAs Molot and Sheldon both recalled having experiences with investigations regarding relatively small sums of money that quickly become much more serious and far-reaching when the government suspected that the provider was not being truthful. Both federal prosecutors also noted that another certain way to get prosecutors' interest is if obstructive conduct is discovered. Obstructive conduct can include shredding or destroying documents, providing false or misleading information or altering records. The discovery of obstructive conduct will almost certainly expose a provider to greater liability than otherwise would have been the case for the underlying matter that the obstruction was endeavoring to conceal.

3. Revenue Enhancement Activities
AUSA Molot indicated that he understood the need for appropriate activities and reviews that are intended to maximize revenues, but he cautioned that the government often views these activities unfavorably. He explained that if a provider is targeting a certain procedure code for revenue improvement, the provider has a "heightened duty" to ensure that it is billing for that code correctly. In addition, AUSA Molot expressed discomfort with financial arrangements that tie compensation to revenue, such as structuring bonus payments based on increased billing. Such arrangements, according to AUSA Molot, can create an incentive to up-code and engage in fraudulent or abusive billing. Instead, he recommended structuring compensation based on other factors, such as productivity, the number of patients seen, or hours worked.

4. Intent and False Claims Act Liability
The federal False Claims Act (FCA) prohibits the submission of false claims to the government and is the federal government's primary tool in combating fraud, waste, and abuse in the Medicare and Medicaid programs. Providers found to be in violation of the FCA face severe penalties, including significant monetary penalties and treble damages. Although the FCA requires "knowing" conduct, "knowledge" or "intent" may be found even where a person or entity acts with "deliberate ignorance" or with "reckless disregard."

AUSA Molot acknowledged that health care reimbursement is a complex labyrinth that is difficult for providers to navigate. Yet, he maintained that providers can face FCA liability by billing incorrectly due to failure to research and understand the rules. AUSA Molot stated that when providers simply "assume" that they are billing correctly without properly educating themselves, they are acting in reckless disregard of the law. He said that the government will take into account ambiguity in the rules at issue when deciding whether to proceed with a case, but the government expects providers to make every effort to bill properly. He emphasized that the internet has made information readily accessible and providers can and should diligently research billing issues and ambiguities. AUSA Molot added that if he can find the particular rule through a simple Google search, he expects providers to know the rule as well. Providers are expected to be familiar with Medicare Manuals, National and Local Coverage Determinations, the CPT Code, and the CPT Assistant. According to AUSA Molot, if a rule is truly unclear, the government will not treat the case as an FCA violation, but rather, merely as an overpayment situation.

The panel then engaged in a discussion of corporate liability and the circumstances under which a single employee's misconduct may be attributable to the employer. For example, a single coder employed by a large hospital who fails to adequately research the correct way to bill a particular code may subject the entire hospital to FCA liability. AUSA Molot advised that when considering the facts of particular matters and whether to hold an employer responsible, the government will consider the level of provider oversight and supervision, the provider's general compliance efforts, the provider's employee training programs, together with the wrongful actions of the potentially rogue employee.

5. Returning Overpayments
The recently enacted health care reform law created an express obligation under federal law to report and return overpayments. Any provider, supplier, Medicaid managed care organization, Medicare Advantage organization or Part D sponsor organization that receives an overpayment must report and return the overpayment within 60 days of the date the overpayment is "identified," or the date any corresponding cost report is due. Unfortunately, the law does not define the term "identified," and so it is not clear exactly when the 60 day period begins to run.

According to AUSA Molot, the government intends to use "a reasonable person standard." In other words, when a reasonable person has or would have had constructive knowledge that an overpayment exists, the obligation to report and return the overpayment within 60 days begins to run. According to AUSA Molot, once a provider reports the overpayment, the government will work with the provider to determine the amount of the overpayment and a timeline for repayment. For situations in which a provider is unable to identify the repayment amount within 60 days, AUSA Molot recommended reporting the issue within 60 days and working with the government for additional time to define and make the repayment.

AUSA Molot emphasized that when providers discover an overpayment, they are obligated to go back as far as possible in time to determine the entire scope of the overpayment. Reporting and returning the overpayments from the past fiscal year alone will not suffice if the overpayment results from a longstanding issue. Often providers can pinpoint when the overpayments began and in those cases, there is an obligation to return all overpayments, even if they extend back over many years. Providers that have their legal counsel conduct an internal investigation to determine the scope of the overpayment can protect this information under the attorney-client privilege. Counsel can also effectively assist providers in determining how far back they must self-audit for the overpayment given the specific circumstances and how best to report this information to the appropriate government officials.

6. The Health Information Portability and Accountability Act (HIPAA)
Although providers are familiar with HIPAA and its safeguards for protected health information, many do not realize that HIPAA has become a focus for health care enforcement. The Health Information Technology for Economic and Clinical Health Act (HITECH), which was enacted in 2009 as part of President Obama's economic stimulus package, made several important changes to HIPAA, including authorizing state Attorneys General to enforce HIPAA by bringing civil actions in federal district courts. HITECH allows state Attorneys General to collect statutory damages ($100 per violation with a $25,000 cap per violation per calendar year) and attorney fees and costs.

Assistant Attorney General Arnold Menchel told the audience that Connecticut Attorney General Richard Blumenthal was the first state Attorney General to use this new authority to enforce HIPAA and emphasized that the Attorney General's Office intends to continue vigilant HIPAA enforcement. AAG Menchel recounted that in 2009, Connecticut filed suit against Health Net for failing to secure protected health information of over half a million Connecticut residents. According to AAG Menchel, Health Net placed 27 million images containing protected health information on an unencrypted drive, which went missing, and was likely stolen. Health Net settled with the State by agreeing to pay $250,000 in statutory damages and providing consumer protection insurance for affected individuals, including two years of credit monitoring, $1 million of identity theft insurance, and reimbursement for the costs of security freezes.

AAG Menchel said that providers should ensure that they comply with HIPAA's privacy and security requirements, including the new breach notification requirements. He added that providers should also ensure that they comply with Connecticut laws aimed at safeguarding personal information, such as social security numbers. For more information on HITECH and breach notification requirements, please see Wiggin and Dana's client advisories at http://www.wiggin.com/showadvisory.aspx?show=5974; http://www.wiggin.com/showadvisory.aspx?show=12162; and http://www.wiggin.com/showadvisory.aspx?show=12385.

* * *

The ever changing landscape of health care regulation constantly challenges providers. Given the recent prioritization of health care enforcement, the stakes are even higher. In this environment, it is helpful to open up lines of communication between the provider community and enforcement officials. Wiggin and Dana thanks all who attended and contributed to making the third annual Health Care Compliance and Enforcement Roundtable interactive, lively, and a great success.