A recent survey by The Harris Poll has revealed that three out of five (59%) healthcare workers are concerned about safety in the workplace, and almost two out of five healthcare workers have considered leaving their employment due to safety concerns as incidents of violence in the workplace increase.

The survey was conducted between April 21 and May 7, 2025, on 1,027 U.S. healthcare workers who frequently interact with patients or their families.  The biggest concerns among healthcare workers were verbal harassment from patients (81%), aggressive behavior/threats from patients (77%), verbal harassment from non-patients (62%), and aggressive behavior/threats from non-patients (59%). More than one-fifth (21%) of healthcare workers said they worry about verbal harassment most of the time or every time they go to work.

These concerns are far from unfounded. Data from the U.S Bureau of Labor Statistics shows healthcare workers are five times more likely to experience violence in the workplace than workers in other industries, and multiple surveys suggest workplace violence is on the rise. The Harris Poll survey revealed that 85% of healthcare workers have experienced verbal harassment from patients, 79% have experienced aggressive behavior/threats from patients, and 43% have experienced physical assaults from patients.  More than half of respondents (54%) said they have felt threatened by patients or their families/visitors at work, and said their co-workers have expressed concern about safety at work (53%).

Female workers were more likely than male workers to experience or witness verbal harassment by patients (88% vs 80%), aggressive behavior from patients (81% vs 74%), and physical assaults by patients (48% vs 34%), with nurses twice as likely as doctors to be physically assaulted. Younger workers are more likely to experience or witness verbal harassment and physical assaults than older workers. There was a 41-percentage-point gap between Gen Z and Boomers for physical assaults.

The survey revealed workplace safety fears are getting worse for nurses and doctors, with 61% of nurses and 53% of doctors saying they are more concerned about physical safety at work than when they started working in healthcare, and 40% of nurses and 27% of doctors were more concerned about personal safety than a year ago. Despite these genuine concerns about workplace safety, healthcare organizations are failing to implement appropriate safeguards to protect their workers, with 41% of respondents saying they only have minimal security in their workplace. The majority of healthcare workers (77%) said safety measures haven’t improved in the past 12 months, and 82% said they wanted increased security measures at work. The measures most wanted for peace of mind were on-site security guards (63%), weapon detection technology (49%), and panic buttons (48%).

The Harris Poll survey paints a similar picture to data from other surveys exploring healthcare workplace safety. A survey conducted by National Nurses United in 2024 revealed that a majority of nurses have experienced at least one type of workplace violence in the past year, and almost half have seen an increase in rates of violence in the workplace.  A survey conducted by the American College of Emergency Physicians in January 2025 revealed 91% of healthcare workers had personally experienced violence at work or knew of a colleague who was a victim of workplace violence, and 40% of healthcare workers said they were aware of an attack on a healthcare worker in a trauma center that resulted in moderate to severe disability or death.

It is no surprise, given the stresses of the job and fears of violence, that many healthcare workers are planning on leaving the profession. NCSBN’s 2024 National Nursing Workforce Study revealed 138,000 nurses have left the workforce since 2022, and almost 40% of nurses plan to leave the workforce by 2029. While those figures include healthcare workers who will be retiring, there is concern that there will be staff shortages due to the difficulty attracting young people into healthcare and retaining them, especially since younger workers are most likely to experience verbal abuse and workplace violence.

Alana O’Grady, Vice President of Communications & Public Affairs at Verkada, said the data clearly shows an urgent need for healthcare organizations to invest in security infrastructure, but this is far from just a safety issue. “This is driving lasting impact in the industry, with workplace violence driving upwards of $18 billion in costs for the healthcare system annually and threatening to drive an even greater cost if labor shortages worsen.”

Steps are being taken to improve safety at work by the Occupational Safety and Health Administration (OSHA), and new legislation has been introduced to better protect healthcare workers. In May, the bipartisan Save Healthcare Workers Act was introduced, which aims to give healthcare workers similar protections as workers in the airline industry by making attacks on healthcare workers a felony. That said, similar legislation has been introduced in the past but has failed to be passed by Congress.

The post The Harris Poll Survey Reveals Growing Concern About Workplace Safety in Healthcare appeared first on The HIPAA Journal.

The U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) has recently announced enforcement actions against entities alleged to have employed excluded individuals who provided items or services that were billed to federal healthcare programs. On May 29, 2025, HHS-OIG announced a $1,565,374.11 settlement agreement with 19 skilled nursing facilities to resolve allegations that they knew or should have known that they employed individuals who were excluded from federal healthcare programs.

The second settlement agreement involved a $35,597.37 penalty for CareLink Home Health, LLC in Illinois for employing an excluded individual who worked as a nurse and case manager when that individual was on the exclusions list.

HHS-OIG can exclude individuals and entities from federally funded healthcare programs such as Medicare and Medicaid for a variety of reasons. The length of time an individual or entity is excluded depends on the reason for exclusion, with the longest terms typically for Medicare and Medicaid fraud convictions. For example, a Michigan man was recently excluded for 10 years for submitting false claims for pharmaceuticals that were never dispensed. For repeat offenders, exclusion may be permanent.

For some offenses, there is no minimum exclusion period; for instance, HHS-OIG may exclude an entity for defaulting on its payment obligations under a settlement agreement. The entity will remain on the list at the discretion of HHS-OIG and will not be eligible for reinstatement until the default of their payment obligations is cured.

Healthcare organizations must check the HHS-OIG List of Excluded Individuals/Entities (LEIE) before any new hire or onboarding of a new vendor, and should also regularly check the LEIE to ensure that current employees and vendors are not excluded to avoid CMP liability.

The post HHS-OIG Imposes Penalties on Skilled Nursing Facilities for Employing Excluded Individuals appeared first on The HIPAA Journal.

This month, the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) agreed to settlements with two healthcare providers who employed nurses on the HHS-OIG exclusion list, who provided items or services that were billed to federally funded healthcare programs.

The exclusion list, formally known as the List of Excluded Individuals and Entities (LEIE), contains entities and individuals excluded from participating in federally funded healthcare programs. The exclusion list was established to prevent fraud, waste, and abuse in federally funded healthcare programs. If an individual or entity has been added to the list, they are not permitted to participate in federally funded healthcare programs in any capacity.

There are many different reasons for exclusion, including fraud convictions, patient abuse and neglect, felony drug convictions, submission of false claims, and participation in illegal kickback schemes. Certain violations carry a mandatory minimum exclusion period, with HHS-OIG having discretion over how long an entity or individual remains on the list. While it is possible to be removed from the list after the minimum term has expired, the excluded company/individual must complete a formal reinstatement process, which can take some time.

Prior to hiring any individual or onboarding a new supplier, healthcare organizations need to review the exclusion list to make sure the company or individual has not been excluded. The responsibilities do not end there, as if an individual or company is added to the exclusion list after hiring/onboarding, penalties can be imposed for continuing to employ that individual or the continued use of a company’s services. Regular screenings of the workforce should be conducted, along with monthly checks of vendors to ensure OIG compliance. Many companies choose to ease this compliance headache by using automated screening and other third-party compliance services.

In April 2025, two companies were discovered to have failed to conduct exclusion list checks, resulting in the employment of excluded individuals. Advancare Healthcare Services in Lombard, Illinois, was discovered to have employed a registered nurse who was on the exclusion list and had been barred from participating in federally funded healthcare programs. The nurse had provided items or services that were billed to Medicare or Medicaid. Advancare Healthcare Services agreed to settle the alleged exclusion list violation, paid a $41,596.68 penalty, and was required to terminate the nurse’s employment.

Associated Clinicians of East Texas, PLLC, which does business as Diagnostic Clinic of Longview, was discovered to have employed a licensed vocational nurse who had been added to the exclusion list. The nurse provided items or services billed to federally funded healthcare programs. Diagnostic Clinic of Longview agreed to settle the alleged violation, paid a $77,877.45 financial penalty, and was required to terminate the nurse’s employment.

The post Healthcare Orgs Fined for Employing Nurses on the HHS-OIG Exclusion List appeared first on The HIPAA Journal.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified potential misuse of health risk assessments (HRAs) and HRA-linked chart reviews by Medicare Advantage (MA) companies, which may have resulted in millions of dollars in overpayments.

The Centers for Medicare and Medicaid Services (CMS) pays MA companies higher risk-adjusted payments for sicker enrollees to cover costlier care and each year, MA companies receive millions in overpayments based on unsupported diagnoses for MA enrollees. When diagnoses are reported only using enrollees’ HRAs and HRA-linked chart reviews and there are no follow-up visits, procedures, or tests, HHS-OIG is concerned that the diagnoses may be inaccurate and therefore the payments made by the CMS may be improper. Alternatively, the lack of follow-up visits and tests suggests that if the diagnoses are accurate, enrollees have not received the necessary care for serious health conditions.

HHS-OIG’s analysis of MA encounter data identified 1.7 million MA enrollees whose diagnoses were only reported using HRAs and HRA-linked chart reviews and did not include any follow-ups. Out of the 17 million MA enrollees, 19,028 enrollees had no other service records at all in 2022 apart from a single HRA. HHS-OIG estimates that around $7.5 billion in MA risk-adjusted payments were made for 2023 and that 80% of those payments were made to just 20 MA companies.

Almost two-thirds of those payments were based only on In-home HRAs and HRA-linked chart reviews, which have a higher risk of misuse as they are usually administered by MA companies and their third-party vendors rather than enrollees’ own providers. In fiscal year 2023, the CMS identified $12.7 billion in net overpayments due to plan-submitted diagnoses that were not supported by documentation in enrollees’ medical records and concerns have been raised by oversight entities that MA companies are using HRA and HRA-type assessments to maximize their risk-adjusted payments rather than to improve the care provided to enrollees. HHS-OIG says the risk-adjustment payment policy creates a financial incentive for MA companies to misrepresent health statuses and submit unsupported diagnoses to inflate their risk-adjusted payments.

HHS-OIG recommended the CMS take steps to identify and prevent misuse of HRAs and HRA-linked chart reviews. HHS-OIG suggested the CMS impose additional restrictions on the use of diagnoses reported only on in-home HRAs or chart reviews linked to in-home HRAs for risk-adjusted payments, conduct audits to validate diagnoses reported using only HRAs and HRA-linked chart reviews, and determine whether certain health conditions such as diabetes and congestive heart failure that drove payments on in-home HRAs and chart reviews are more vulnerable to misuse by MA companies. The CMS only concurred with the last recommendation.

The post HHS-OIG Identifies Potential Misuse of HRAs and Chart Reviews by MA Companies appeared first on The HIPAA Journal.

The HHS Office of Inspector General (HHS-OIG) has issued a warning to the public about a fraud scheme that targets Medicare enrollees and involves them setting up monthly payments for medically unnecessary remote patient monitoring (RPN). Scammers are cold calling Medicare enrollees, sending unsolicited text messages, and using Internet and television ads to push RPN services, regardless of medical necessity. RPM is a legitimate service of benefit to individuals who have medical conditions such as diabetes that can deteriorate quickly, resulting in complications, hospitalization, and even death. RPN involves remotely monitoring patients to identify anomalies such as an irregular heartbeat, high blood pressure, or dangerous blood glucose levels, allowing rapid action to be taken before a condition deteriorates. RPM typically involves glucose monitors, blood pressure cuffs, and cardiac rhythm devices.

Scammers are targeting Medicare enrollees and convincing them to sign up for RPN. The scammers steal Medicare numbers and other personal information and bill Medicare for unnecessary RPN services. Those services are often not provided, and even when RPM devices are issued, patients are not monitored even though they are charged monthly for the service. HHS-OIG has advised Medicare enrollees to hang up if they receive a call offering a free brace that will be billed to Medicare and recommends that they check their Explanation of Benefits statements for services that have not been ordered or provided.

If any contact is made and free equipment is offered that requires a Medicare number to be provided, it is likely to be a scam. Any requests for requests for medical equipment should be approved by a trusted healthcare provider, who will evaluate whether the equipment is medically necessary. Medicare beneficiaries have also been advised to refuse to accept deliveries of any unordered medical equipment unless their healthcare provider has ordered it.

A few weeks ago, HHS-OIG sounded the alarm about another Medicare scam involving durable medical equipment (DME). Medicare enrollees are being contacted and offered urinary catheters at no cost by an unscrupulous DME company. “Usually, the DME company will obtain its own authorizing provider, who does not know or have a relationship with the enrollee, to sign an authorization for DME,” explained HHS-OIG. “Occasionally, the DME company may get the enrollee’s provider to sign an authorization for the DME.”

According to the National Association of Accountable Care Organizations (NAACOS), around $2.8 billion is estimated to have been fraudulently billed to Medicare for urinary catheters. Medicare payments for the billing codes used for urinary catheters increased from $153 million in 2021 to $2.1 billion in 2023.

The post HHS-OIG Warns Consumers About Remote Patient Monitoring Scam appeared first on HIPAA Journal.

The Department of Health and Human Services (HHS) Administration for Children and Families (ACF) has put the sensitive data of families and children at risk by failing to address security gaps in its cloud environment, according to a recent audit by the HHS Office of Inspector General (HHS-OIG).

HHS-OIG is conducting a series of audits of HHS divisions to determine if they have implemented effective cybersecurity controls for their cloud environments and are compliant with federal security requirements and guidelines. For the audit, HHS-OIG reviewed ACF’s cloud inventory, policies and procedures, and the configuration settings of ACF vulnerability scanners. Penetration tests were also conducted internally and externally on selected cloud information systems and web applications, and phishing tests were conducted on ACF personnel.

While ACF had implemented security controls to protect its cloud information systems and data, HHS-OIG identified gaps in its security controls and vulnerabilities that could be exploited by malicious actors to gain access to systems and the sensitive data of families and children. One of the main problems stemmed from its inventory of cloud computing assets, which was not comprehensive. HHS-OIG said ACF did not accurately identify all of its cloud computing assets because ACF did not establish policies and procedures to inventory and monitor cloud information system components.

If components are missed from the inventory, security controls to prevent unauthorized access may be overlooked, resulting in those components not being adequately secured and websites may be left vulnerable because they are not kept up-to-date, with patches missed and misconfigurations not identified. While HHS-OIG did not identify compromises, the identified vulnerabilities could be exploited resulting in modifications to cloud systems and the execution of system commands to allow sensitive data to be accessed, including the personally identifiable information of families and children. If assets are not being monitored, there is a risk that threat-hunting efforts may not identify compromises, giving adversaries the freedom to attack other components undetected.

HHS-OIG also found that ACF did not perform adequate cloud and web application technical testing techniques against its systems to proactively identify the vulnerabilities HHS-OIG discovered, potentially putting data at a high risk of compromise. While ACF had implemented security controls to protect its cloud information systems, HHS-OIG identified several other security controls that had not been implemented that are stipulated in federal requirements and guidelines.

HHS-OIG made several recommendations on how ACF should improve the security of its cloud information systems. The audit uncovered 19 security controls that need to be improved, cloud security procedures should be updated, tests should be conducted on cloud information systems that emulate the tactics, techniques, and procedures of adversaries, and ACF must update and maintain a complete and accurate inventory of its cloud information systems and components. HHS-OIG also recommended that ACF leverage cloud security assessment tools to identify weak cybersecurity controls and misconfiguration. ACF concurred with all of HHS-OIG’s recommendations and described the actions that will be taken to address the identified issues.

The post Weak Cloud Security Controls at the Administration for Children and Families Have Put Sensitive Data at Risk appeared first on HIPAA Journal.

The role of compliance officers in HHS OIG regulations is to ensure policies and procedures are in place to mitigate the risk of a healthcare organization violating a law protecting HHS programs and beneficiaries from fraud or abuse. It is also the role of compliance officers in HHS OIG regulations to monitor compliance with the policies and procedures, and to enforce sanctions on workforce members when they fail to comply with the policies and procedures.

While this explanation of the role of compliance officers in HHS OIG regulations may sound complicated, it is not as difficult as it seems. There are usually only five healthcare regulations enforced by the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) – these being:

• The False Claims Act
• The Anti-Kickback Regulations
• The Physician Self-Referral Law
• The HHS OIG Exclusion Statute
• The Emergency Medical Treatment and Active Labor Act (EMTALA)

The False Claims Act

The False Claims Act protects HHS programs from being fraudulently charged for medical items or services. It is an offense to submit any claim that a healthcare organization knew or should have known was inaccurate; and, depending on the degree of intent, the penalties for violations of the False Claims Act can be civil (up to $27,894 per violation) or criminal (up to $250,000 per violation plus jail time for individuals and up to $500,000 per violation for organizations).

The role of compliance officers in HHS OIG regulations in this case is to ensure processes exist to verify the authenticity of reimbursement claims, that billing irregularities are flagged for investigation, and that security gaps are closed to prevent internal or external bad actors compromising HHS transactions. In the event that claims and billing are outsourced, the role of compliance officers is to conduct due diligence on third party service providers.

The Anti-Kickback Regulations

The anti-kickback regulations exist to prevent inducements for referrals and “paid-for” recommendations for medical items or services. The consequences of “healthcare by inducement” are not only higher reimbursement claims, but also the risk that patients may not receive the most appropriate healthcare. Consequently, penalties for violations of the anti-kickback regulations are imposed on both the payer of an inducement and its recipient.

Because it is usually individuals who succumb to inducements, it is rare that an organization is investigated for an offense against the anti-kickback regulations. However, compliance officers need to be alert to individual members of the workforce accepting non-exempt inducements. This is because any induced reimbursement claims submitted via the organization will have to be repaid to HHS if a kickback allegation against a workforce member is proven.

The Physician Self-Referral Law

The Physician Self-Referral Law (aka The Stark Law ) prohibits healthcare providers from referring patients to “designated health services” when the healthcare provider or an immediate family member has a financial interest in the designated health service. To prevent violations of this law, compliance officers will need to know if any workforce members have business interests (including indirect family business interests) outside the healthcare organization.

However, when the HHS OIG investigates a violation of the Stark Law, the perpetrators are the referring healthcare provider (i.e., a member of the workforce) and the health service that benefitted from the self-referral. The organization for whom the compliance officer works will not be responsible for repaying the proceeds of any unlawful activity. Nevertheless, workforce members violating HHS OIG fraud laws is not something compliance officers want on their CVs!

The HHS OIG Exclusions List

In 1977, the Medicare-Medicaid Anti-Fraud and Abuse Amendments gave HHS OIG the authority to exclude individuals and entities from participating in HHS programs if they were found to have violated a healthcare fraud or abuse law. Depending on the violation, an exclusion can be mandatory (typically five years) or discretionary (no minimum or maximum limits) – during which time excluded individuals and entities cannot bill HHS programs directly or indirectly.

The role of compliance officers in HHS OIG regulations in this case is to ensure that no excluded individual becomes a member of the workforce and that no goods or services are supplied by an excluded entity. Healthcare organizations that employ excluded individuals or who contract goods or services from an excluded entity can be fined up to $20,000 for each good or service unlawfully claimed plus three times the amount claimed from an HHS program.

The Emergency Medical Treatment and Active Labor Act (EMTALA)

EMTALA requires qualifying healthcare organizations that participate in HHS programs to examine an individual requesting emergency care and provide emergency treatment regardless of the individual’s insurance coverage or ability to pay. If the healthcare organization cannot provide appropriate emergency treatment, they must stabilize the individual and arrange a transfer to another healthcare organization that has appropriate treatment capabilities.

Qualifying healthcare organizations that fail to examine an individual or who fail to accept an individual transferred from another healthcare organization can be fined up to $129,233 and added to the HHS OIG Exclusions List. What can complicate the role of compliance officers in HHS OIG regulations such as EMTALA is when exemptions exist depending on location, the nature of the emergency treatment required, and the professional affiliation of healthcare workers.

How to Fulfil the Role of Compliance Officers in HHS OIG Regulations

The way to fulfil the role of compliance officers in HHS OIG regulations is to adapt existing policies and procedures to mitigate the risk of violating a healthcare fraud or abuse law. For example, most healthcare organizations are required to audit their claims and billing processes as a condition of participation in Medicare and Medicaid. Existing procedures could be adapted so that reimbursement claims are verified and irregularities are flagged in the audit process.

Similarly, with regards to conducting due diligence on third party service providers, this is a condition of HIPAA compliance when PHI is shared with a business associate – as are reasonable and appropriate measures to protect the confidentiality, integrity, and availability of electronic PHI whether it is shared with a business associate or processed inhouse. Complying with HIPAA Security Rule automatically ensures that Part 162 transactions are more secure.

With regards to identifying violations of the anti-kickback regulations, induced reimbursement claims should be flagged as part of an effective audit process, while the requirement to check individuals against the HHS OIG Exclusions List is an extra check to add to the existing Level 2 checks many healthcare organizations already have to do before engaging a new member of the workforce in order to comply with state employment laws.

As many of the policies and procedures required to fulfil the role of compliance officers in HHS OIG regulations are adaptions or extensions of existing policies and procedures, monitoring workforce compliance with the policies and procedures should not create an additional compliance burden – nor should enforcing sanctions on workforce members when they fail to comply with the policies and procedures. Nonetheless, compliance officers uncertain about how to fulfil their role with regards to HHS OIG regulations should seek independent compliance advice.

The post The Role of Compliance Officers in HHS OIG Regulations appeared first on HIPAA Journal.

Audits conducted by the Department of Health and Human Services Office of Inspector General (HHS-OIG) of states that claim Medicaid school-based costs with the assistance of contractors have revealed some states have claimed unallowable federal funds due to their contractors improperly conducting random moment time studies (RMTSs). Pennsylvania is the latest state to be audited by HHS-OIG, which found that approximately $590 million was claimed in federal Medicaid payments for school-based services between July 1, 2015, and June 30, 2019, $551.4 million of which was improperly claimed.

For the audit, HHS-OIG reviewed a stratified random sample of 310 random moments, each of which was coded as a health service or administrative activity. HHS-OIG also looked at the methods Pennsylvania used to allocate health services costs to Medicaid.

Based on the sample, HHS-OIG estimated that Pennsylvania claimed $182.5 million in unallowable Federal funds because it did not support that all moments used in RMTSs and coded as Medicaid-eligible were actually for Medicaid-eligible health services or Medicaid administrative activities. Pennsylvania also improperly claimed $368.9 million when it used unsupported ratios to allocate costs to Medicaid. The RMTSs conducted by contractors for Pennsylvania did not cover all days worked by staff members because they were not conducted for the first month of the school year.

HHS-OIG said that the improper claims were due to complex cost allocation methods that were developed by the state and its contractor which were difficult or impractical to support with documentation, or that CMS guidance was not followed. HHS-OIG recommended that the state refund the $182.5 million as these funds were used for unsupported Medicaid-eligible health services and Medicaid administrative activities. HHS-OIG also recommended that the state either support or refund the $368.9 million, as these funds were claimed using an unsupported cost allocation method. HHS-OIG also provided guidance to the state to help with the preparation of accurate and supportable claims.

Pennsylvania agreed with the guidance but disagreed with the monetary and procedural recommendations, specifically disagreeing with the HHS-OIG finding that the moments were not supported as Medicaid-eligible. Pennsylvania claimed that it was not required to provide documentation other than what RMTS participants provided and that it was not responsible for ensuring that all service providers were appropriately licensed. Pennsylvania also claimed that the ratios it used for allocating costs to Medicaid are accurate.

The post HHS-OIG: Pennsylvania Improperly Claimed $551 Million in Medicaid Funds appeared first on HIPAA Journal.

An HHS OIG compliance program consists of best practices that should be included in an integrated healthcare compliance program to avoid violating fraud and abuse laws enforced by the Department of Health and Human Service (HHS) Office of Inspector General (OIG). Adding HHS OIG compliance best practices to an integrated program not only helps avoid penalties for HHS OIG compliance failures, but may also improve compliance with the integrated program.

Integrated healthcare compliance programs are programs that combine some or all applicable healthcare rules, regulations, and standards into a single compliance program. For example, a healthcare facility might combine CMS’ Emergency Preparedness Rule (81 FR 63860) with OSHA’s Emergency Planning Regulation (§1910.38) and HIPAA’s Contingency Plan Standard (§164.308(a)(7)) to comply with all three requirements via a single activity.

Although integrated healthcare compliance programs can be complicated to develop and keep up to date, they have multiple benefits. In addition to reducing the compliance burden (for example, by reducing the three compliance requirements above to just one), it is also simpler to train workforce members on one integrated compliance program – which has the secondary benefit of simultaneously complying with the CMS, OSHA, and HIPAA training requirements.

What Does an HHS OIG Compliance Program Consist Of?

There is no one-size-fits-all HHS OIG compliance program because some healthcare facilities might not conduct all the activities covered by fraud and abuse laws, while other healthcare facilities might outsource some activities to a third party (i.e., claims and billing) – in which case the third party is liable for compliance violations. However, there are five main fraud and abuse laws most healthcare organizations have to consider in an HHS OIG compliance program:

The False Claims Act

The False Claims Act protects the government from being overcharged for goods or services. In the context of an HHS OIG compliance program, it is a violation of the False Claims Act to submit claims for payment to Medicare, Medicaid, or any other HHS program that a healthcare facility knew – or should have known – were fraudulent. For this reason, it is important to monitor claims and billing activities – even when these activities are outsourced to a third party.

The penalties for violations of the False Claims Act vary depending on whether HHS OIG considers violations to be civil or criminal offenses. HHS OIG has the authority to impose fines of up to $27,894 per civil violation (March 2024) and up to three times the amount falsely claimed from HHS programs. Criminal violations are referred to the Department of Justice, who can pursue fines of up to $500,000 per violation and jail terms of up to five years per violation.

The Anti-Kickback Regulations

In addition to an HHS OIG compliance program consisting of measures to prevent fraudulent billing events, a program should also include measures to prohibit the receipt of – or payment for – kickbacks to induce referrals for items and services reimbursable by an HHS program. HHS OIG considers kickbacks to not only be monetary, but also “in-kind remunerations” such as cost-sharing waivers, shares, subsidies, free items, space, equipment, and services.

The important thing for healthcare facilities to be aware of with regards to the anti-kickback regulations is that both parties involved in a kickback transaction can be found guilty of a violation (i.e., the payer and the recipient of the kickback). In addition, as with violations of the False Claims Act, the penalties for violating the anti-kickback regulations can be criminal and civil – although in this case, the maximum criminal fine is $100,000 per violation.

The Stark Law

The Stark Law, also known as the Physician Self-Referral Law, prohibits physicians from referring patients to receive “designated health services” when the physician or an immediate family member has a financial interest in the designated health service. It is important to be aware the term designated health services not only relates to the provision of treatment, but can also refer to the provision of therapy, medical items, and outpatient prescription drugs.

Both the physician that violated the Law and the health service that benefitted from the violation are considered liable for the violation by HHS OIG. Self-referring physicians can be fined up to $15,000 per violation (or up to $100,000 if the violation is considered an attempt to circumnavigate a criminal anti-kickback regulation), while the health service will have to refund up to three times the amount of any payments received from an HHS healthcare program.

The Exclusion Statute

The Exclusion Statute requires HHS OIG to exclude individuals and organizations from participating in HHS programs if they are found guilty of Medicare or Medicaid fraud, patient abuse or neglect, intentionally violating the anti-kickback regulations, or unlawfully manufacturing, distributing, prescribing, or dispensing controlled substances. HHS OIG also has the discretionary authority to exclude individuals and organizations for misdemeanors.

Being excluded from participating in HHS programs not only means they cannot bill HHS directly. It also means they cannot bill HHS indirectly by providing goods or services via a third party healthcare facility. To make it harder to circumnavigate the Statute, third party healthcare facilities are prohibited from – and can be fined for – contracting goods or services from an individual or organization that appears on the HHS OIG Exclusions List.

The Emergency Medical Treatment and Active Labor Act (EMTALA)

EMTALA requires healthcare facilities that participate in HHS programs to conduct a medical screening examination on any individual requesting emergency care. If the examination identifies an emergency medical condition, the facility must stabilize the individual and provide treatment until the emergency medical condition is resolved. If the facility does not have the capability to treat the individual, it must transfer the individual to a facility that can provide treatment.

Healthcare facilities that fail to conduct a medical screening examination, or who fail to accept an individual transferred from another healthcare facility for emergency treatment, can be fined up to $129,233 and added to the HHS OIG Exclusions List. Individuals to whom a screening or treatment is denied can also take civil action in some states, whereas in other states conditions may apply with regards to the provision of emergency labor and psychiatric treatments.

What are HHS OIG Compliance Best Practices?

Similar to an HHS OIG compliance program, there are no one-size-fits-all HHS OIG compliance  best practices. In order to determine what HHS OIG compliance best practices should be included in a compliance program – whether an integrated compliance program or not – healthcare facilities should assess their exposure to violations of all applicable fraud and abuse laws, and develop policies and procedures to mitigate the risk of a violation occurring.

Recommendations for assessing the risk of an HHS OIG violation include auditing HHS claims and billing processes – even when outsourced to a third party – in order to identify potential vulnerabilities, irregularities, or opportunities for fraud. There is HHS OIG-issued software that can help with the audit process, but smaller healthcare facilities might find it quicker to conduct an audit manually, rather than work out how to use the software on smaller data sets.

One of the most important HHS OIG compliance best practices that all healthcare providers should integrate into a compliance plan is an HHS OIG Background Check. Policies should be put in place to check the HHS OIG Exclusions List before any new hire or supplier is engaged, while procedures should exist to periodically recheck the Exclusions List due to the length of time it can take for an individual or organization under investigation to be added to the Exclusions List.

With regards to EMTALA, it is a best practice for qualifying healthcare facilities to train members of the workforce on what medical conditions qualify for mandatory emergency screening and/or treatment, and when exceptions apply – either due to location, medical discipline, or the professional affiliation of healthcare workers. EMTALA can have several gray areas, so it may be important HHS OIG compliance best practices are enforced when EMTALA is applicable.

The Benefits of HHS OIG Compliance Risk Management

The benefits of HHS OIG compliance risk management are that healthcare facilities mitigate the risk of an HHS OIG violation – reducing the chance of a fine, criminal conviction, or private action by an individual that has been denied emergency care. Even when these consequences of an HHS OIG violation do not happen, healthcare facilities may be required to comply with a Corporate Integrity Agreement – which can be costly to comply with as well as being disruptive.

However, HHS OIG compliance risk management does not have to be particularly complicated. It has already been demonstrated how combining multiple compliance requirements into one integrated healthcare compliance program can reduce the compliance burden and help healthcare facilities save time and money – and adding HHS OIG compliance best practices to an existing integrated healthcare compliance program should be equally as beneficial.

For example, most Medicare Part D and Medicare Advantage providers already have to conduct claims and billing audits as a condition of participation in Medicare. Similarly, most states have laws that require healthcare facilities to conduct Level 2 background checks on new employees (i.e., professional license verification, sex offenders list, etc.) – so adding one more background check (the HHS OIG Exclusions List) is barely going to increase the compliance burden.

Healthcare facilities that are unsure about which fraud and abuse laws apply to their activities (including outsourced activities) and how to comply with them – or when exceptions apply to certain activities under the Safe Harbor regulations – should contact HHS OIG for advice. Alternatively – or to find out more about developing an integrated healthcare compliance program – healthcare facilities can seek independent advice from a compliance professional.

The post What is an HHS OIG Compliance Program? appeared first on HIPAA Journal.