HHS OIG Compliance News

How to Write an HHS OIG Complaint

Posted by Steve Alder

The best way to write an HHS OIG complaint to increase the chances of the complaint being investigated is to prepare a narrative explaining the nature, scope, and time frame of the activity being complained about, and how you came to learn about the activity. When you submit the complaint, the chances of the complaint being investigated are further improved if you can provide supporting evidence and the contact information of a third party who can corroborate the narrative.

Each year, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) receives thousands of complaints, tips, and reports of alleged fraud, waste, and abuse in Federal healthcare programs. HHS OIG does not have the resources to investigate every one, so it prioritizes complaints according to the type of activity and the evidence submitted to support the complaint.

In addition, HHS OIG only has the authority to investigate complaints relating to certain activities, and many complaints can be rejected after being reviewed for relevance. The activities HHS OIG has the authority to investigate include:

  • Whistleblower complaints about fraud, waste, and abuse in HHS programs.
  • False or fraudulent (overpriced) claims submitted to Medicare or Medicaid.
  • Kickbacks or inducements for referrals by Medicare or Medicaid providers.
  • Medical identity theft involving Medicare and/or Medicaid beneficiaries.
  • The failure of a hospital to evaluate and stabilize an emergency patient.
  • Patient abuse or neglect in nursing homes and long-term care facilities.
  • Human trafficking by HHS employees, grantees, and contractors.
  • Crimes, gross misconduct, or conflicts of interest involving HHS employees, recipients of HHS grants, or HHS contractors.

Complaints relating to Medicare policies, coverage, claims, and payment decisions, Social Security fraud, identity theft unrelated to HHS programs, and discrimination within HHS departments are not investigated by HHS OIG. Complaints of this nature will be rejected on review without the complainant being notified of the decision. Therefore it is important that when you write an HHS OIG complaint, the nature of the activity is one that HHS OIG has the authority to investigate.

How to Submit an HHS OIG Complaint

There are various ways to submit an HHS OIG complaint. The most effective is the online OIG HHS Hotline because this method of submitting an HHS OIG complaint allows complainants to upload documents in support of the complaint electronically. Alternative methods such as mail and fax are not so easy to use; and, if you use mail, you are advised not to send original documents, digital media, or physical devices because these will not be returned even if the complaint is rejected.

When you submit an HHS OIG complaint online, you also have the option of requesting confidentiality inasmuch as your identity is only known to HHS OIG investigators (unless a disclosure is required by law). You may also submit complaints anonymously, but this course of action precludes HHS OIG from investigating a complaint as a whistleblower retaliation complaint, and may hinder the initial review and/or the subsequent investigation into your compliant.

If your complaint is investigated and upheld, there are several potential outcomes depending on the nature of the activity. Most upheld fraud, waste, and abuse complaints and violations of the HHS OIG anti-kickback regulations are resolved by a civil monetary penalty and/or a Corporate Integrity Agreement. However, more serious complaints, criminal complaints, and the failure of a hospital to evaluate and stabilize an emergency patient are likely to result in exclusion from HHS programs.

Individuals concerned about the potential consequences of submitting an HHS OIG complaint – or who need help to write an HHS OIG complaint – are advised to speak with an HHS OIG advisor on 1-800-477-8477 (1-800-HHS-TIPS). Alternatively, if you would prefer independent advice before speaking with an HHS OIG advisor, it is recommended you speak with a legal professional who has experience in healthcare regulatory compliance.

The post How to Write an HHS OIG Complaint appeared first on HIPAA Journal.

How Much are HHS OIG Penalties?

Posted by Steve Alder

HHS OIG penalties vary depending on the nature of the offense, the scale of the offense, and the cooperation of the violating party during the investigation of the offense. Other factors that can influence HHS OIG penalties include the regulatory limits applied to each type of violation and the violating party’s previous history of compliance with healthcare regulations.

Among its many roles, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) is responsible for investigating allegations of fraud, waste, and abuse in Federal healthcare programs. When HHS OIG identifies fraud, waste, or abuse, it has the authority to recover funds, exclude individuals and organizations from Federal healthcare programs, and pursue civil monetary penalties or criminal penalties depending on the nature of the offense.

The amount of HHS OIG penalties is calculated on a case-by-case basis, and quite often cases can be settled for a mutually agreed amount to avoid potential litigation. The amount of HHS OIG penalties can also be reduced if the violating individual or organization agrees to comply with a Corporate Integrity Agreement. In these cases, compliance with a Corporate Integrity Agreement can save an individual or organization from being added to the HHS OIG Exclusions List.

How HHS OIG Enforcement Actions Unfold

The department of HHS OIG responsible for enforcement actions is the Office of Investigations. The Office of Investigations can be alerted to possible fraud, waste, or abuse by other departments of HHS OIG – for example, the Office of Audit Services or the Office of Evaluation and Inspection – by other operating divisions of HHS – for example, HHS’ Office for Civil Rights – or by members of the public and healthcare employees via the HHS OIG Complaints Hotline.

The Office of Investigations prioritizes HHS OIG enforcement actions according to the nature and scale of the alleged offense and the evidence to support the allegation. The Office then issues subpoenas to acquire documents from the accused “target”, conducts interviews with witnesses and/or employees, and conducts inspections of the target’s workplace. The additional evidence is then reviewed to determine what laws and regulations have been violated.

Depending on the outcome of the reviews, HHS OIG enforcement actions can be settled by mutual consent, by an administrative hearing, or by a court if the offense is criminal in nature. The location can also have an influence on the outcome of HHS OIG enforcement actions if a state law has harsher penalties for a violation than the equivalent Federal law. For example, under California’s WIC Code §15630(h), the failure to report elder abuse carries a jail term of up to one year.

How Regulatory Limits Affect HHS OIG Penalties

State laws aside, the amount of HHS OIG penalties is governed by the regulatory limits of whatever federal law the target has violated. For example, the current (February 2024) regulatory limits for civil violations of the False Claims Act are a minimum civil monetary penalty of $13,946 and a maximum civil monetary penalty of $27,894 per violation. The HHS OIG can also add fines of up to three times the amount falsely claimed from an HHS program.

If the violation of the False Claims Act is criminal, HHS OIG penalties increase to a maximum fine of $500,000 for organizations and $250,000 for individuals. For individuals, criminal convictions under the False Claims Act can also carry a jail term of up to five years. These HHS OIG penalties apply to each individual count filed, and are in addition to penalties prosecutors may seek for conspiracy to defraud the United States, mail fraud, wire fraud, or other federal crimes.

Other laws have different regulatory limits. For example, hospitals that violate the Emergency Medical Treatment and Active Labor Act (EMTALA) are subject to civil penalties of between $64,618 and $129,233 per violation, violations of the HHS OIG Anti-Kickback Regulations can attract fines of up to $27,894 (plus jail terms), while the penalties for violations of the OIG Stark Law are up to $15,000 per item or service charged to an HHS program plus up to $100,000 per arrangement considered a deliberate attempt to circumnavigate the Anti-Kickback Regulations.

Why HHS OIG Sanctions are Sometimes Combined

It is not unusual to read HHS press releases announcing multi-million dollar settlements that appear to be more than the maximum civil monetary penalty multiplied by the number of violations – even allowing for the recovery of three times the funds falsely claimed from an HHS program. This is because HHS OIG sanctions can be combined if (for example) a physician has violated the OIG Stark Law by accepting a non-excluded kickback which then results in a false claim to an HHS program.

By combining HHS OIG sanctions, the Office of Investigations can negotiate one financial settlement with an individual or organization rather than multiple settlements, and impose a more relevant Corporate Integrity Agreement (if applicable). Alternatively, the department can exclude an individual or organization from HHS programs for a longer period of time than if each set of HHS OIG Sanctions had been dealt with independently of each other.

The takeaway from this is that there is no specific answer to the question how much are HHS OIG penalties. In the worst possible scenario, violators of Federal healthcare laws can be fined millions of dollars and/or jailed, and be excluded from HHS programs. Due to the risk of effectively losing the business, individuals and organizations concerned that they may not be complying with all applicable healthcare regulations should seek compliance advice from a legal professional.

The post How Much are HHS OIG Penalties? appeared first on HIPAA Journal.

Seven Elements Of A Compliance Program

Posted by HIPAA Journal

The Seven Elements HIPAA Compliance Software SolutionThe seven elements of a compliance program are integrated processes organizations can adopt to help develop a culture of compliance in the workplace; and, when applied effectively, the seven elements can also be used to streamline operational processes, optimize organizational performance, and reduce overall costs.

Because HIPAA compliance can be confusing, we have compiled this guide to the seven elements to make them relevant for HIPAA. Some compliance software solutions guide compliance officers through the seven elements as part of their set-up process.

Summary Of The Seven Elements

While the seven elements of a compliance program apply to all industries, they originated in the healthcare industry in the 1990s. This was in response to the growing level of healthcare fraud and abuse and an alleged “compliance disconnect” at the executive level in many hospitals and health systems.

These are the seven elements, which we outline in more detail below:

#1: Implement written policies, procedures, and standards of conduct.
#2: Designate a compliance officer and a compliance committee.
#3: Conduct effective training and education.
#4: Develop effective lines of communication.
#5: Conduct internal monitoring and auditing.
#6: Enforce standards through well-publicized disciplinary guidelines.
#7: Respond promptly to detected offenses and undertake corrective action.

The Seven Elements For Effective HIPAA Compliance

Despite being more than twenty-five years old – and not necessarily having been adopted to tackle the same issues – many organizations still use the seven elements in their original format.

The Background to the Seven Elements

In 1991, the Department of Health and Human Services (HHS) launched the Workgroup for Electronic Data Interchange (WEDI). WEDI had the objective of reducing administrative costs in the healthcare system by promoting electronic claims submission.

It achieved its objective by requiring insurance carriers to reimburse healthcare providers more quickly for electronic claims than for paper claims, thus encouraging providers to submit more claims electronically.

As a result, the percentage of claims submitted electronically over the next five years more than doubled – making it harder for adjudicators to identify fraud and abuse attributable to unbundling, duplication, and global service violations.

According to a Congressional Report published by the General Accounting Office in 1995, it was estimated that as much as 10 percent of national healthcare spending was attributable to waste, fraud, and abuse (around $98 billion at the time).

The following year, the long-running Caremark Derivative Litigation case concluded – a case in which it was claimed the company’s board of directors had failed in their fiduciary duty of care to ensure the company’s compliance program was enforced.

Although cleared of “lacking good faith in the exercise of monitoring duties or conscientiously permitting a known violation to occur”, the company settled multiple felony charges against it by paying $250 million in civil and criminal fines.

The relevance of this case is that Caremark’s primary operations were providing patient care and managed care services; and, although the company had implemented compliance policies to prevent breaches of Anti-Referral Payments Laws, a series of violations resulted in shareholders claiming the board of directors had failed to adequately enforce the policies and, as a result, exposed the company to regulatory fines.

This accusation was not lost on the HHS’ Office of Inspector General (OIG).

OIG Publishes First Model Compliance Plan

The year after the conclusion of the Caremark Derivative Litigation case, OIG published its first model compliance plan (62 FR 9435-9441). Although aimed at clinical laboratories, the model compliance plan consisted of seven “compliance plan elements” that subsequently evolved into “the seven fundamental elements of an effective compliance program” in later compliance plans for hospitals, home health agencies, hospices, and nursing facilities.

The primary objective of the plan is fairly transparent. In the preamble to each of the plans, OIG states “many providers and provider organizations have expressed an interest in better protecting their operations from fraud and abuse through the adoption of voluntary compliance programs.” The word “fraud” is repeated a further twenty-eight times in the compliance plan for hospitals (63 FR 8987) and the compliance plan for nursing facilities (65 FR 14289).

It is also noticeable that, from the second plan onward, each plan includes a footnote stating “recent case law suggests that the failure of a corporate Director to attempt in good faith to institute a compliance program in certain situations may be a breach of a Director’s fiduciary obligations” – referencing the Caremark Derivative Litigation case. Clearly, OIG wanted to send the message that, if a voluntary compliance plan was implemented, oversight of the plan was expected.

The biggest influence for the creation of the seven elements of a compliance program (fraud prevention) is sometimes overlooked. This is not necessarily a bad thing because – around the same time – the passage of HIPAA introduced fraud controls and transaction standards that made it harder for healthcare providers to defraud or abuse the system. However, the seven elements can be adapted for more positive purposes than preventing, detecting, and responding to fraud.

What are the Seven Elements of a Compliance Program?

The Seven Elements Of A Compliance ProgramSince the first appearance of the seven elements, some versions have been amended or extended to meet organizational or regulatory requirements.

For example, when the Affordable Care Act made a compliance program a requirement of Medicare participation for some healthcare providers (42 CFR §483.85), an element was added that prohibits organizations from delegating discretionary authority to individuals who “the organization knew, or should have known through the exercise of due diligence, had the propensity to engage in criminal, civil, and administrative violations of the Social Security Act.”

However, as mentioned in the introduction to this article, many organizations that have implemented a compliance plan voluntarily still use the seven elements of a compliance program in their original format.

Please use the form on this page to arrange to receive a free copy of the HIPAA Compliance Checklist to use with the seven elements of a compliance program.

#1 Implement written policies, procedures, and standards of conduct

The best HIPAA compliance softwareThe seven elements of a compliance program are often depicted as a linear “start-to-finish” program or as a wheel that starts revolving again when it is completed its first cycle. Neither depiction is entirely accurate, as the seven elements of a compliance program have to integrate with each other at all times to make the program work effectively and facilitate improvements to the program.

The first of the seven elements of a compliance program is a suitable example of why it is important to view a compliance program holistically because it calls for the development of standards (etc.) under the direction of a compliance officer. Yet organizations are not advised to designate a compliance office until element #2:

“Every compliance program should develop and distribute written compliance standards, procedures, and practices that guide the facility and the conduct of its employees throughout day-to-day operations. These policies and procedures should be developed under the direction and supervision of the compliance officer, the compliance committee, and operational managers.”

If you view the seven elements of a compliance program as a linear program, you could be confused when the second element instructs you to designate the compliance officer you need to complete the first element. You might also be confused if you view the compliance program as a wheel, because it means you will need to rotate the wheel counter clockwise from #2 to #1.

#2 Designate a compliance officer and compliance committee

The temptation with element #2 is to delegate the role of compliance officer and the membership of a compliance committee to members of the same HR, legal, or operations teams or department heads of these teams. This can be a mistake if (for example) the legal team does not understand the real-life challenges of compliance in the workplace.

While it is a good idea to head the compliance committee with a person of authority, it is beneficial to include personnel with public-facing roles (i.e., healthcare professionals) and a mixture of personnel from IT, security, and administration who can provide insights on which policies will work and which won’t without changes to working practices.

#3 Conduct effective training and education

Integrating training and education into a compliance program should not be difficult for most organizations in the healthcare industry, as the majority are required to comply with the HIPAA training requirements, while some are also required to provide annual compliance training as a condition of participation in the Medicare program.

Of significance, in the original seven elements of a compliance program, OIG notes that the continual retraining of personnel at all levels (emphasis added) is a significant element of an effective compliance training program. Along the same lines, OIG adds that adherence to the elements of the compliance program should be a factor in evaluating the performance of managers and supervisors.

#4 Develop effective lines of communication

The development of effective lines of communication is pivotal to the seven elements of a compliance program because effective lines of communication are necessary for members of the workforce to raise questions, report violations, and provide feedback on corrective action plans that may necessitate amendments to policies and procedures and further training.

Ideally the creation and maintenance of effective lines of communication between the compliance officer/committee and the workforce should include a hotline or anonymous reporting system to receive questions, reports, and feedback. Organizations should also adopt procedures to protect the anonymity of complainants and to protect whistle-blowers from retaliation.

#5 Conduct internal monitoring and auditing

This element of an effective compliance program provides an opportunity for executive officers to demonstrate oversight by requesting compliance reports and audits from the compliance officer. In healthcare environments, these reports and audits should be conducted regularly to comply with the HIPAA requirement for regular risk analyses and be available at all times for executive review.

If executive officers participate in this element, it also provides an opportunity to extend lines of communication “from the top to the bottom”. Although it is not always practical to have members of the workforce communicate directly with executive officers (and vice versa), the involvement of executive officers demonstrates a commitment to compliance throughout the entire organization.

#6 Enforce standards through well-publicized disciplinary guidelines

Most organizations distribute disciplinary guidelines at the point of training. Indeed, in the healthcare industry, the standards relating to training and sanctions are almost adjacent to the Administrative Requirements of the Privacy Rule – so it is rare that an explanation of the organization’s sanctions policy is not included in initial HIPAA training.

With regard to enforcing standards, it is important that sanctions are applied fairly. If one group of the workforce is sanctioned more often or more harshly than another group for no justifiable reason, executive officers need to find out why. While it may be the case that one manager is enforcing standards over-zealously, it may equally be the case that another manager is allowing the workforce to take shortcuts with compliance “to get the job done”.

#7 Respond promptly to detected offenses and undertake corrective action

When the seven elements of a compliance plan were originally published in the 1990s, this element focused almost entirely on detecting fraud, reporting it, and enforcing sanctions or implementing measures to prevent it from happening again. With fraud prevention being a less important objective of a compliance plan than it was twenty-five years ago, this element can be used to monitor the effectiveness of the compliance program and improve it where necessary.

For example, if an offense has occurred due to a loophole in a policy (element #1), a lack of training (#3), a communication failure (#4), or a monitoring issue (#5), the compliance officer (#2) can evaluate the existing policies, procedures, and standards, and adjust them as necessary (#7). If the offense has occurred due to the actions of a non-compliant member of the workforce, it may be necessary to increase the penalties in the sanctions policy (#6) to be more of a deterrent.

The Challenges and Benefits of Adopting a Compliance Plan

Software For Compliance OfficersAdopting the seven elements of a compliance plan can be challenging for an organization starting from scratch. It can be difficult to get leadership buy-in because compliance is not perceived as a revenue generator, it can be difficult to define compliance roles in a complex regulatory environment, and it can be difficult to pull everything together with limited resources.

In healthcare environments, these challenges are mitigated by the fact that many of the elements are – or should be – already in place. HIPAA-covered entities should have developed policies and procedures to comply with the Privacy Rule, have a training and sanctions program up and running, and have procedures for conducting internal audits and responding to data breaches.

All that needs to be done in many healthcare environments is for the compliance officer to bring together the seven elements of a compliance plan into one integrated plan. When managed effectively, the plan will help organizations develop a culture of compliance that can help to reduce costs (i.e., regulatory fines), enhance the organization’s operations (i.e., through improved communication), and advance the quality of healthcare.

This final benefit of adopting a compliance plan is one many organizations are only starting to realize as it has only recently been demonstrated that, when patients believe PHI will remain confidential, they tend to be more forthcoming about healthcare issues. This enables healthcare professionals to make better-informed diagnoses and prescribe more effective courses of treatment, which results in better patient outcomes, satisfaction scores, workplace morale, and staff retention.

Get Help Developing Your Compliance Plan

Multiple sources on the Internet offer help with developing a compliance plan. One of the best is the HHS’ Office of Inspector General compliance guidance web page which includes updated guidance on the seven elements of a compliance program in its General Compliance Program Guidance document.

However, if your organization is a multi-disciplined Covered Entity or Business Associate, and you need more granular help developing a compliance plan, it may be worthwhile reviewing our HIPAA compliance checklist.

Steve Alder, Editor-in-Chief, The HIPAA Journal

The post Seven Elements Of A Compliance Program appeared first on The HIPAA Journal.