The Fraud Provisions of Kennedy-Kassebaum (Health Care Fraud and Abuse)

June 1, 1997 Advisory

August 1996 saw the passing into law of the Health Insurance Portability and Accountability Act (HIPAA), commonly referred to by its sponsors' names as Kennedy-Kassebaum. With the signing of HIPAA came dramatic advances in the government's ability to identify, investigate and prosecute health care fraud and abuse. The new landscape created by HIPAA includes a firm commitment towards investigation and enforcement funding and training, and heightens the need for effective corporate compliance programs.

Fraud Abuse and Control Program
The cornerstone of the health care fraud and abuse provisions of HIPAA is the creation of the Fraud Abuse and Control Program. This program grants joint authority to the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) and the US. Attorney General for coordination of state and federal health care fraud investigation and enforcement activities. Increased funding in the form of direct appropriations and a subaccount of the Medicaid Trust Fund supports a robust investigation and enforcement effort and will result in the opening of 36 new OIG offices between 1997 and 2002 along with increased enforcement staffing.

Enforcement efforts such as LabScam, the OIG investigation of Medicare and Medicaid fraud and abuse by clinical laboratories, will be better funded in part by their own successes. LabScam alone has resulted in the recovery of over $650 million through settlement agreements and prosecutions since October 1996. Under HIPAA, this money flows back to the Medicaid Trust Fund to assist further enforcement efforts. The commitment of resources, combined with the new civil and criminal provisions, make HIPAA a strong catalyst for increased investigation and prosecution of health care fraud and abuse.

Expanded Exclusion Authority
The ability to exclude health care providers, suppliers and practitioners from participation in the Medicare and Medicaid programs has traditionally been one of the most serious sanctions for health care fraud and abuse. HIPAA expands the reach of mandatory and permissive exclusion authority. The conviction for a felony related to health care fraud, whether under state or federal law and even if the underlying fraud is not related to Medicaid or Medicare, now results in mandatory exclusion. Before HIPAA, such convictions were grounds for permissive exclusion. In another broadening of exclusion powers, investors in, and officers and managing employees of, sanctioned entities are now subject to individual exclusion from Medicare and Medicaid. Exclusion of an investor, which had only been available where the investor was directly responsible for the wrong-doing, now applies when the investor knows or should know of the wrongdoing. Officers and managing employees (defined as employees who exercise operational or managerial control or who conduct the day-to-day operations of the entity) of a sanctioned entity may be excluded even without knowledge of the wrong- doing.

New Criminal Provisions
In addition to strengthening civil penalties, HIPAA creates a series of health care related criminal offenses, such as fraud, theft or embezzlement related to health care services, false statements used to obtain health care benefits or services, obstruction of criminal investigations of health care offenses, and laundering of monetary instruments related to health care. While many of these crimes were, and continue to be, prosecutable under other criminal provisions, their inclusion in HIPAA increases the options for prosecutors pursuing health care fraud.

OIG Advisory Opinions
HIPAA establishes an OIG advisory opinion process whereby outside parties may obtain formal opinions from the OIG based on the parties' current or planned business arrangements or activities. These advisory opinions would address the interpretation of certain statutes as applied to a specific set of facts provided by the outside party.

Data Collection
The Health Care Fraud and Abuse Data Collection Program, newly created by HIPAA, provides for the collection of information related to adverse actions against health care providers and suppliers. These actions will be reported by both government agencies and private health plans, and will not be limited to federal health programs. Adverse actions that will reside in the data base include civil judgments, license and certification sanctions, criminal convictions and "any other negative action or finding" provided the "other negative action" is publicly available information. Malpractice information is excluded.

The new data base is intended to supplement the National Practitioner Data Bank already in use. By creating a new source of fraud and abuse data, and by making it available to the public, HIPAA adds further adverse consequences to the perpetrator of health care fraud and abuse offenses.