A former Maryland dentist has been sentenced for practicing dentistry without a license and fraudulently billing Medicaid for $8.5 million. Seyed Hamid Tofigh, 57, of Potomac, MD, used the names, provider numbers, and professional credentials of four licensed dentists to submit claims to the Maryland Medicaid program, which is a state-run program that provides healthcare benefits to low-income individuals. The majority of Tofigh’s patients were children.

Tofigh had been a licensed dentist since September 1994 and operated several dental practices with two of his brothers. By 2015, the brothers had separated their ownership of the practices and Tofigh retained ownership of Greenbelt Family Dentistry in Greenbelt, MD, and Rockville Family Dentistry in Rockville, MD. In 2014, after receiving several complaints from patients, the Maryland Board of Dental Examiners suspended Tofigh’s license to practice dentistry due to there being a substantial likelihood that he posed a risk of harm to public health, safety, and welfare. In 2015, after a continued investigation, his license was revoked. The Maryland Board of Dental Examiners found Tofigh kept “consistently incompetent and egregiously deficient” dental records, provided incompetent and substandard treatment, billed for services that he never provided, and engaged in unprofessional and dishonorable conduct.

From 2015 through January 2023, Tofigh continued to practice dentistry on Medicaid recipients, but since he was not able to personally bill Medicaid for his services, used the stolen identities of other dentists – two of his brothers, a nephew, and a former colleague – to submit claims. Tofigh continued to provide substandard treatment, billed for procedures that were not performed, conducted unnecessary procedures such as extractions, fillings, and root canal treatments, and intimidated and bullied patients who complained.

On February 6, 2024, Tofigh pleaded guilty to one count of defrauding a state health plan (Medicaid) and one count of practicing dentistry without a license. The Honorable Carol Ann Corderre of the Circuit Court for Prince George’s County sentenced Tofigh to 5 years in jail, with all but 78 days suspended. Tofigh was placed on home detention for 18 months and will serve 5 years of probation for the Medicare fraud count. Tofigh was also sentenced to serve 1 year in jail and a five-year probation term for practicing dentistry without a license. The jail term was suspended, and the two sentences will run consecutively. Tofigh has been prohibited from providing healthcare services that are partially or wholly funded by state or federal governments and must permanently surrender his Maryland dental license. He has also been ordered to pay $8.5 million in restitution within 12 months, of which $4.5 million has already been paid.

“This case revealed a complex healthcare fraud scheme that not only drained taxpayer dollars away from our State’s Medicaid program but also placed Dr. Tofigh’s young patients in real danger,” said Attorney General Brown. “By stopping Dr. Tofigh, my office continues in its commitment to protecting patients and ensuring the integrity of State programs remains intact.”

The post Dentist Sentenced for Theft of $8.5 Million from Medicaid appeared first on HIPAA Journal.

An HHS OIG investigation is a criminal, civil, or administrative investigation into fraud or misconduct in a program run by the Department of Health and Human Services which affects the program, its operation, or its beneficiaries. HHS OIG investigations can result in criminal convictions, financial recoveries, civil monetary penalties, or exclusions from participation in Federal healthcare programs.

The Department of Health and Human Services (HHS) consists of twelve operating divisions which, between them, administer more than 100 programs. Since 1976, the HHS Office of Inspector General (OIG) has been responsible for protecting the integrity of the $2.4 trillion portfolio of programs and the well-being of program beneficiaries.

Within the HHS OIG is an Office of Investigations. The Office of Investigations can be alerted to potential fraud or misconduct by another Office within HHS OIG – for example, the Office of Audit Services – or via the OIG Hotline, which receives allegations of fraud, waste, and abuse in HHS programs from whistleblowers, the public, and HHS employees.

The HHS OIG receives thousands of allegations each year and cannot investigate them all. The Office of Investigations prioritizes allegations according to the nature and scope of the allegation, and the evidence provided to support the allegation. The Office then analyzes the allegation to determine whether it warrants a formal investigation or can be resolved informally.

The Formal HHS OIG Investigation Process

To start a formal HHS OIG investigation, the Office of Investigations issues subpoenas requiring a “target” individual or business to produce documents, conducts witness interviews with the targets, their employees, and/or patients, and visit the target’s offices to conduct inspections. Inspections are rarely announced so that investigators have the best chance of identifying fraud or misconduct.

Once all the relevant evidence has been collected, investigators review the documents, witness statements, and inspection reports to determine whether an unlawful event has taken place (such as a violation of the Stark Law or False Claims Act) or whether the target has violated healthcare regulations (such as issued under the No Surprises Act) to the detriment of a program beneficiary.

At this stage, there are three possible outcomes. The first is that the HHS OIG investigation finds insufficient evidence to support the allegation – in which case the investigation is dropped. The second is that the Office continues the investigation with the help of ancillary agents (i.e., cybersecurity or data analytics experts), and the third is that the Office pursues an enforcement action.

Office of Investigations Enforcement Actions

When the Office of Investigations pursues an enforcement action, the penalty can depend on factors such as the nature and scope of the offence, the amount of harm caused, the target’s cooperation during the formal HHS OIG investigation, and any campaign HHS is running to raise awareness of specific regulations (i.e., violations of the Emergency Medical Treatment and Labor Act).

At one end of the scale, an individual or the director/owner of a business can be sent to jail if an HHS OIG investigations uncovers violations of the Social Security Act §1177. At the other end of the scale, an individual can avoid a civil monetary penalty or addition to the HHS OIG Exclusion List by entering into a Corporate Integrity Agreement. Alternatively, agreeing to a Corporate Integrity Agreement can reduce the amount of a civil monetary penalty. For example:

• In February 2019, Greenway Health LLC settled allegations it had violated the False Claims Act for $57.25 million and agreed to a five year Corporate Integrity Agreement.
• In December 2017, 21st Century Oncology settled a self-reported violation of the Stark Law for $26 million and entered into a five year Corporate Integrity Agreement.
• In September 2011, Hill-Rom Company Inc. settled allegations it had violated the False Claims Act for $41.8 million and agreed to a five year Corporate Integrity Agreement.

The post What is an HHS OIG Investigation? appeared first on HIPAA Journal.

The U.S. Department of Health & Human Services Office of Inspector General (HHS-OIG) has published a Roadmap for New Physicians on avoiding Medicare and Medicaid fraud and abuse. The guidance for new physicians is intended to explain how to comply with Federal laws that combat fraud and abuse, how to identify red flags that could lead to potential liability in law enforcement and administrative actions, and includes tips on compliance with these laws in physicians’ relationships with payers, vendors, and fellow providers.

The Federal Government places enormous trust in physicians and programs such as Medicare and Medicaid rely on physicians’ medical judgment to treat beneficiaries of these programs with appropriate services and to submit accurate and truthful claims. While most physicians work ethically and provide appropriate care to patients and submit claims accurately, there are a few who attempt to cheat the systems for personal financial gain. As a result of dishonest healthcare providers, laws have been created to combat fraud and abuse.

There are five main Federal fraud and abuse laws that physicians should be aware of:

• The False Claims Act
• The Anti-Kickback Statute
• The Physician Self-referral (Stark) Law
• The Exclusion Statute, and
• The Civil Monetary Penalties Law

The False Claims Act protects the government from being overcharged or sold shoddy goods and services. Submitting claims for Medicare and Medicaid that are known to be fraudulent is illegal and carries a penalty of up to three times the programs’ loss plus $11,000 per claim. These penalties apply regardless of whether there was specific intent to defraud. There are whistleblower provisions that allow individuals to file suits on behalf of the United States and obtain a percentage of any recoveries. There is also a criminal False Claims Act, and physicians have received criminal fines and have served time in jail for submitting false claims.

The Anti-Kickback Statute is a criminal law prohibiting knowing and willful payment of remuneration for inducing or rewarding patient referrals and the generation of business involving items or services payable by the Federal health care programs. Penalties for kickbacks include fines, jail time, and exclusion from Federal health care programs. The penalty is $50,000 per kickback plus three times the amount of the remuneration.

The Physician Self-referral (Stark) Law prohibits physicians from referring patients to receive “designated health services” payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship unless an exception applies. As with the False Claims Act, the Stark law does not require proof of specific intent to violate the law. Penalties for self-referrals include fines and exclusion from Federal health care programs.

The Exclusion Statute requires the HHS-OIG to exclude individuals from participation in all Federal healthcare programs if they are found to have committed Medicare or Medicaid fraud, patient abuse or neglect, have felony convictions for other health-care-related fraud, theft, or other financial misconduct, or felony convictions for unlawful manufacture, distribution, prescription, or dispensing of controlled substances. Exclusion means Federal health care programs will not pay for items or services furnished, ordered, or prescribed by excluded individuals.

Under the Civil Monetary Penalties Law, the HHS-OIG may seek civil monetary penalties for a wide variety of conduct and also exclusion. Penalties range from $10,000 to $50,000 per violation.

The Roadmap for New Physicians and other guidance material is available from the HHS-OIG on this link.

The post Advice for New Physicians on Avoiding Medicare and Medicaid Fraud and Abuse appeared first on HIPAA Journal.

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has added the founder and CEO of the health technology firm Theranos, Inc. to the OIG exclusion list, which means Elizabeth Holmes is prohibited from participation in Federal health care programs for 90 years.

The Theranos Scandal

Theranos was a blood testing startup founded by Elizabeth Holmes in 2003. The company claimed to have developed revolutionary technology that could be used to perform hundreds of blood tests from a single blood sample. Instead of requiring a vial of blood, the technology could perform more than 200 blood tests using a single pinprick of blood. The company claimed its technology automated blood testing and that tests were inexpensive and fast. Holmes was able to raise $700 million in investment and the company was valued at around $9 billion at its peak, with Holmes owning more than half of the company’s shares.

The Wall Street Journal Pulitzer Prize-winning journalist John Carreyrou received a tip that the company’s technology was not what it claimed to be. Carreyrou spoke with members of the Theranos board who claimed they were lied to, there was a culture of intimidation and secrecy, and the company’s technology repeatedly failed quality assurance and sent incorrect test results to patients on which medical decisions were based.

Carreyrou published the story in 2015 that revealed the company was using third-party technology rather than its own, as its own technology was inefficient. The FDA launched an investigation into Theranos that found that the allegations in Carreyrou’s article were correct. The company was investigated by the Federal Bureau of Investigation and shut down.

Theranos and Homes denied the allegations and threatened to sue Carreyrou; however, in 2018, Homes stepped down from her position as CEO, and following an FBI investigation the company was shut down. Holmes, along with former company president Ramesh Balwani, were charged with criminal fraud for making false claims about the company’s technology and misleading investors.

In her trial, prosecutors claimed that the company’s technology could only perform a handful of the advertised tests themselves and the few tests that the technology could perform did not provide accurate results. Holmes was also alleged to have destroyed evidence before the company was shut down. Holmes admitted to making mistakes but she continued to protest her innocence and claimed that she never knowingly defrauded investors or patients.

In January 2022, Holmes was found guilty on four charges of defrauding investors and was sentenced to more than 11 years in jail from where she is attempting to appeal the convictions. Holmes was also ordered to pay $452,047,200 in restitution. Balwani was convicted of conspiracy to commit wire fraud against Theranos’s patients and investors and was sentenced to 12 years and 11 months in prison.

HHS-OIG Issues Notice of Exclusion

HHS-OIG Inspector General Christi A. Grimm announced on January 19, 2023, that Holmes had been added to the exclusion list due to her January 2022 conviction for wire fraud and conspiracy to commit wire fraud against Theranos investors.

The HHS-OIG has the authority under 1128(a) of the Social Security Act to exclude individuals from participation in Medicare, Medicaid, and other Federal health care programs. The minimum exclusion period for convictions of this nature is 5 years; however, Grimm explained that there were several aggravating factors that warranted a lifelong exclusion, including the length of time that the criminal acts were committed, the incarceration, and the amount of restitution that was ordered to be paid. Balwani had previously been excluded for 90 years due to his convictions.

“Accurate and dependable diagnostic testing technology is imperative to our public health infrastructure. False statements related to the reliability of these medical products can endanger the health of patients and sow distrust in our health care system,” said Grimm. “As technology evolves, so do our efforts to safeguard the health and safety of patients, and HHS-OIG will continue to use its exclusion authority to protect the public from bad actors.”

The post HHS-OIG Excludes Theranos Founder and CEO from Federal Health Programs for 90 Years appeared first on HIPAA Journal.

The OIG Stark Law is the section of the Social Security Act that prohibits physicians from referring Medicare and Medicaid patients to a non-exempted “designated health service” when the physician or an immediate family member has a financial interest in the service. The Law is named after Congressman Fortney “Pete” Stark who introduced the original “Ethics in Patient Referrals” bill in 1988.

The background to the OIG Stark Law is that, in 1972, Congress added an Anti-Kickback Statute to the Social Security Act in order to combat fraud and abuse in the Medicare and Medicaid programs. The Statute prohibits anyone from “knowingly and willfully receiving or paying anything of value to influence the referral of federal health care program business [to a particular healthcare provider]”.

The penalties for violating the Anti-Kickback Statute are up to five years in prison, criminal fines of up to $25,000, civil monetary penalties of up to $50,000, and – since 1977 – being included on the HHS OIG Exclusions List. Under the Civil Monetary Penalties Law, physicians who pay or accept kickbacks can be fined up to $50,000 per kickback plus three times the amount of the remuneration.

Self-Referral Loophole Closed by Stark

To circumnavigate the Statute, some physicians “self-referred” patients to health services in which they or a family member had a financial interest either through ownership, investment, or reimbursement (i.e., “consulting fees”). To close this loophole, Congressman Stark introduced the “Ethics in Patient Referrals” bill in 1988, prohibiting providers of Medicare services from accepting referrals from physicians with an ownership interest or other compensation arrangement.

The bill’s proposals for prohibiting referrals to clinical laboratories were adopted in the Omnibus Budget Reconciliation 1990. Three years later, the OIG Stark Law was extended to include designated health services other than clinical laboratories and patients covered by Medicaid as well as Medicare. Since 2001, the Centers for Medicare and Medicaid Services (CMS) has published regulations in the Federal Register to implement and revise provisions of the OIG Stark Law.

What does the OIG Stark Law Cover?

The OIG Stark Law covers physician “self-referrals” to designated health services when the service is billed to Medicare or Medicaid, and a financial relationship exists between the physician (or an immediate family member) and the health service. In such cases, not only is the referral a violation of the OIG Stark Law, but it is also a violation if the health service subsequently files a claim for payment – directly or indirectly – with a federal health care program. Designated health care services are:

• Clinical laboratory services.
• Physical therapy services.
• Occupational therapy services.
• Outpatient speech-language pathology services.
• Radiology and certain other imaging services.
• Radiation therapy services and supplies.
• Durable medical equipment and supplies.
• Parenteral and enteral nutrients, equipment, and supplies.
• Prosthetics, orthotics, and prosthetic devices and supplies.
• Home health services.
• Outpatient prescription drugs.
• Inpatient and outpatient hospital services

Exemptions and Advisory Opinions

In 2003, Congress authorized the Secretary of HHS to promulgate regulations exempting physician self-referrals from the OIG Stark law provided certain conditions are met and provided the referral is in the patient’s best interests. Since 2003, the list of exemptions has grown to include (but is not limited to) in-office ancillary services, indirect physician compensation (i.e., to a group practice rather than to an individual), self-referrals in rural areas, and compliance training.

The conditions that have to be met for an exemption to qualify as such are that there must be a written agreement in place, any compensation paid to a referring physician must not be based on the volume of referrals, and the amount of compensation must be commercially reasonable. If physicians or health services are unsure of whether a referral relationship qualifies as an exemption, they can apply to CMS for an advisory opinion. To date, CMS has published nineteen advisory opinions.

Penalties for OIG Stark Law Violations

Violations of the OIG Stark Law are civil violations, so there are no criminal penalties for violations of the law. However, because the law is linked to the Anti-Kickback Statute, the civil penalties for OIG Stark Law violations are substantial. Self-referring physicians can be fined $15,000 for each service they knew or should have known was provided in violation of the OIG Stark Law, with a potential fine of $100,000 if it is proven they deliberately attempted to circumnavigate the Anti-Kickback Statute.

The health service that benefitted from the self-referral will have to refund payments improperly collected, plus three times the amount if the payment was received from Medicare. Both the physician and the health service can also be added to the HHS OIG Exclusion List or required to comply with an OIG Integrity Agreement. For these reasons, if you have any doubts a referral may be in violation of the OIG Stark Law, it is recommended you seek professional compliance advice.

The post What is the OIG Stark Law? appeared first on HIPAA Journal.

OIG in healthcare stands for the Department of Health and Human Services (HHS) Office of Inspector General (OIG) – the Office within the HHS responsible for reducing waste, fraud, and abuse in HHS programs and improving efficiency. The Office is the largest OIG in any Federal Department, and employs more than 1,650 auditors, evaluators, and investigators, who are supported by teams of staff with legal, technological, and analytical experience.

The Background to the Office of Inspector General

The Office of Inspector General for the Department of Health, Education, and Welfare (as the HHS OIG was known as at the time) was created in 1976 to “supervise, coordinate, and provide policy direction for auditing and investigative activities relating to programs and operations of the Department”. The Office was also tasked by Congress to detect and prevent fraud and abuse in programs financed by the Department, and to promote efficiency within the Department.

One of the first tasks undertaken by the newly created OIG in healthcare was to establish the OIG HHS Exclusions List as required by the Medicare-Medicaid Anti-Fraud and Abuse Amendments 1977. However, the task of managing the database of individuals and organizations prohibited from participating in federal health care programs grew substantially following the False Claims Act Amendments of 1986 – overwhelming the Office until the passage of HIPAA in 1996.

Subtitle A of HIPAA Title II created and funded the Health Care Fraud and Abuse Control (HCFAC) program, which gave the OIG in healthcare the resources to enforce §1128 of the Social Security Act – “The Exclusion of Certain Individuals and Entities from Participation in Medicare and State Health Care Programs”. Due to the HCFAC program, the OIG in healthcare now excludes more than 2,000 individuals and organizations per year compared to just thirty-five in 1977/1978.

The Expanding Role of HHS OIG in Healthcare

Since its establishment (and the change of name to HHS OIG in 1980), the role of HHS OIG in healthcare has grown significantly. The Office now oversees activities in more than 100 HHS programs, conducts thousands of audits, evaluations, and inspections each year, and provides compliance guidance to tens of thousands of individuals and organizations to encourage compliance with regulations published by HHS agencies such as CMS, CDC, SAMHSA, and OCR. To cope with its expanding role and increasing workloads, HHS OIG divides its work between six sub Offices:

• The Immediate Office of Inspector General, which is directly responsible for the fulfillment of the OIG’s mission.
• The Office of Audit Services, which audits the performance of HHS programs, service providers, and contractors.
• The Office of Counsel to the Inspector General, which acts as an in-house legal counsel to the Inspector General and OIG’s other components.
• The Office of Evaluations and Inspections, which evaluates HHS programs to detect fraud, waste, and abuse and identify opportunities for improvement.
• The Office of Investigations, which conducts criminal, civil, and administrative investigations of fraud and misconduct relating to HHS programs.
• The Office of Management and Policy, which is focused on improving customer satisfaction with, and the reliability of, HHS programs.

Probably the most rapidly expanding role for the HHS OIG in healthcare is cybersecurity. HHS OIG has identified cybersecurity as the top challenge for the healthcare system, and has recently added a Cybersecurity and Information Technology Division to the Office of Audit Services and a Computer Crimes Unit to the Office of Investigations to combat cybersecurity threats within HHS and the healthcare system by fostering enhancements in IT controls, risk management, and resiliency.

Why It Is Important to Understand What the OIG in Healthcare Is

Although the primary role of the OIG in healthcare is to combat fraud, waste, and abuse, and improve the efficiency of HHS programs, the Office also recommends policy changes to agencies within the HHS. When a recommendation is adopted by an HHS agency, it can have a significant impact on the regulations that healthcare providers and their business associates have to comply with. An example of this is the investigation into OCR’s governance of cybersecurity threats.

The OIG investigation is looking into whether the existing Security Rule standards and OCR’s HIPAA audit program are sufficient to prevent and detect cyberattacks, ensure the continuity of patient care, and protect PHI. Although ongoing, the investigation has prompted HHS to publish a Healthcare Sector Cybersecurity Strategy, which not only suggests new HIPAA security standards will be introduced in 2024, but also that compliance with the standards will be a requirement for participation in Medicare.

The post What is OIG in Healthcare? appeared first on HIPAA Journal.

An OIG Corporate Integrity Agreement in healthcare is a contract between the Department of Health and Human Services (HHS) Office of Inspector General (OIG) and an organization that has violated a fraud and abuse law, that outlines the future compliance obligations of the organization. The OIG Corporate Integrity Agreement is often part of a civil settlement for violating a fraud and abuse law that prevents the organization from being added to the HHS OIG Exclusions List.

HHS OIG investigates cases of potential fraud and misconduct related to HHS programs, operations, and beneficiaries. When violations of a fraud and abuse law (i.e., the False Claims Act, the Stark Law, the Anti-Kickback Statute, etc.) are identified, the HHS OIG has the authority to pursue a criminal prosecution, a civil prosecution, and/or administrative penalties such as license penalties, revocation of billing privileges, or exclusion from Medicare, Medicaid, and other federal health care programs.

When a civil prosecution results in a civil monetary penalty (or settlement) AND exclusion from federal health care programs, organizations may be offered the option of accepting an OIG Corporate Integrity Agreement depending on the nature of the violation and the organization’s previous compliance record. The OIG Corporate Integrity Agreement will outline what measures and practices the organization will be expected to implement and comply with over the following five years.

Being offered an OIG Corporate Integrity Agreement can be a lifeline for organizations that would otherwise cease to trade if they were excluded from federal health care programs. However, if an organization fails to comply with the terms of the OIG Corporate Integrity Agreement, the amount of the original civil monetary penalty can be increased, new civil monetary penalties can be imposed (“Stipulated Penalties”), and the organization will be added to the HHS OIG Exclusions List.

What an OIG Corporate Integrity Agreement Consists Of

OIG Corporate Integrity Agreements are tailored to address the cause(s) of the original investigation and any further compliance shortcomings that have been identified during the OIG investigation. They may also take into account elements of an existing compliance program (i.e., to comply with HIPAA). While each OIG Corporate Integrity Agreement may be unique, many have common core elements. These include:

• Hire a compliance officer (rather than designate the role to an existing employee).
• Appoint a compliance committee under the governance of the compliance officer.
• Develop written policies and procedures for issues noted in the Agreement.
• Implement a comprehensive training program for all members of the workforce.
• Retain an Independent Review Organization to conduct annual compliance reviews.
• Establish a confidential disclosure program to facilitate internal whistleblowing.
• Check each existing and new hire against the HHS OIG Exclusion List.
• Report overpayments, reportable events, and ongoing investigations/legal proceedings.
• Provide an Agreement implementation report and annual compliance reports to OIG.

With regards to retaining an Independent Review Organization (IRO), because each OIG Corporate Integrity Agreement is unique, there is no one-size-fits-all IRO. It may also be the case that more than one IRO is necessary if the requirements of the Agreement require an organization to retain (for example) experts in Medicare and State Medicaid programs, AND experts in the HIPAA Part 162 coding requirements, AND licensed healthcare professionals with specialized expertise.

The necessary qualifications for an IRO will be outlined in the OIG Corporate Integrity Agreement. However, once they enter into an OIG Corporate Integrity Agreement, organizations usually have 30 days to retain an IRO and send the details to HHS OIG – which reviews the IRO’s qualifications and either approves the IRO or requests that the organization terminates its relationship with the existing IRO and retains a new one. HHS OIG has published guidance on IRO independence and objectivity.

The Different Types of OIG Integrity Agreements

There are three types of OIG Integrity Agreements – the OIG Corporate Integrity Agreement as described above, an OIG Integrity Agreement for individual practitioners, small group practices, and small providers that will be less comprehensive than a Corporate Agreement, and an OIG Quality of Care Integrity Agreement for when a civil investigation and prosecution has found evidence of fraud that has impacted the quality of patient care.

In this third type of OIG Integrity Agreement, the organization will be required to retain an IRO with clinical expertise to perform relevant quality-related reviews in addition to an IRO with the qualifications to perform compliance-related reviews. In most cases, the IRO with clinical expertise will review the organization’s delivery of care and evaluate the organization’s ability to prevent, detect, and respond to patient care problems. The IRO’s review may also require peer reviewing.

The Difference between OIG CIAs and HHS CAPs

The difference between OIG Corporate Integrity Agreements (CIAs) and HHS Corrective Action Plans (CAPs) is that OIG CIAs most often form part of an investigation settlement that includes a civil monetary penalty, whereas a CAP is most often imposed by the Office of Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) in lieu of a civil monetary penalty. In addition, while an OIG CIA is usually five years in length, an HHS CAP is often concluded within a year.

If you are concerned that your organization – or someone within your organization – may be in violation of a fraud and abuse law or failing to comply with an HHS healthcare regulation, it is best to seek professional compliance advice. If you are a member of a healthcare organization’s workforce, you can also raise your concerns with your organization’s compliance officer, or contact HHS directly via the HHS OIG fraud hotline, the HHS OCR Complaint Portal, or the HHS CMS Complaint Service.

The post What is an OIG Corporate Integrity Agreement? appeared first on HIPAA Journal.

The HHS OIG Work Plan is a schedule of audits and evaluations conducted by the HHS Office of Inspector General that are intended to protect the integrity of HHS programs and the welfare of program beneficiaries. Unlike OIG Work Plans maintained by OIGs in other US Federal Government Departments, the HHS OIG Work Plan is “dynamic” and changes frequently to respond to emerging issues.

The Role of the HHS OIG

The role of the HHS OIG is to fight waste, fraud, and abuse in more than 100 HHS programs run by agencies such as the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CDC), and the Food and Drug Administration (FDA). It attempts to fulfil its role by conducting audits, evaluations, and – when necessary – investigations, and by providing outreach, compliance, and educational activities.

Because OIG staff cannot be in all places at all times, HHS OIG schedules audits and evaluations based on mandatory review requirements, requests made by Congress, and reported management or performance issues. The HHS OIG Work Plan can be – and often is – interrupted by an audit or evaluation progressing into an investigation, by the requirements of other oversight agencies, or by an emerging issue requiring prioritization.

HHS OIG Audits, Evaluations, and Investigations

HHS OIG audits, evaluations, and investigations are conducted by three Offices within the OIG – the Office of Audit Services, the Office of Evaluations and Inspections, and the Office of Investigations. Audits and evaluations most often assess the performance of HHS programs and service providers; and, if anomalies are identified, criminal, civil, and administrative investigations are initiated to detect cases of fraud and misconduct.

The majority of audits and evaluations do not progress into an investigation. Most often they provide insights into potential risks, suggest policies and procedures that could mitigate the risks, or make recommendations about improvements to existing programs. When an investigation is considered necessary, the most common outcomes are repayments of overcharged amounts, exclusions from HHS programs, civil settlements, or criminal charges.

Source: HHS OIG Semi Annual Report to Congress September 2023

Outreach, Compliance, and Educational Activities

As well as scheduling audits, evaluations, and investigations, the HHS OIG Work Plan includes outreach, compliance, and educational activities to (for example) warn program beneficiaries of healthcare-related scams, help service providers comply with HHS Regulations, and provide tools for service providers to comply with HHS Regulations. HHS OIG also encourages service providers to self-disclose potential fraud or misconduct in HHS programs.

In the context of helping service providers comply with HHS Regulations, one of the most recent activities on the HHS OIG Work Plan has been an update to the “General Compliance Program”. Not only has the guidance documentation been completely refreshed, but HHS OIG is planning to publish further industry segment-specific compliance program guidance throughout 2024 for different types of service providers participating in HHS programs.

HHS OIG Work Plan 2024

At present, Offices of the HHS OIG have more than 200 items scheduled for the HHS OIG Work Plan 2024. Almost half are from previous years and have been put on hold due to a lack of resources, because they are low priority, or because they are waiting for further information. Others are in progress and partially complete or waiting for a decision from an HHS program as to whether the recommendations in an audit or evaluation will be accepted or revised.

Active items in the HHS OIG Work Plan 2024 most likely to have an impact on service providers include a study of adverse events in hospitals affecting Medicare patients, an audit of workplace violence in NIH-funded institutions, and an investigation of OCR’s governance of HIPAA with regards to protecting ePHI from cyberattacks. This investigation will also determine whether minimum security measures should be a condition of participation in the Medicare program.

Why It Is Important to Keep Up To Date with the HHS OIG Work Plan

The reason it is important to keep up to date with the HHS OIG Work Plan is that HHS OIG audits and evaluations make recommendations that could be adopted in future HHS policies. While most service providers to HHS programs will be aware of the proposed changes to HIPAA and other HHS programs that have already been announced, making changes to accommodate the proposed changes without looking further ahead may create future compliance challenges.

The post HHS OIG Work Plan appeared first on HIPAA Journal.