Stark Law, False Claims and HIPAA: Key Risk Areas for Hospitals

At the Becker's Hospital Review Annual Meeting in Chicago on May 11, Scott Becker, JD, CPA, partner with McGuireWoods in Chicago and publisher of Becker's Hospital Review, discussed the key legal and risk areas facing hospitals. Meggan Michelle Bushee, JD, and Holly Carnell, JD, both from McGuireWoods, also participated in the panel discussion.

Below are summaries of the panel's discussion on Stark Law, the False Claims Act, the Health Insurance Portability and Accountability Act and hospital compliance plans.

1. Stark Law
Mr. Becker first discussed trends in Stark Law. "The most-often-talked-about thing in the Stark Law is terms of the physician relationships statute, or what you can and can't do with physicians," said Mr. Becker. Here are the eight most common legal issues he's seen gain the most attention and scrutiny under the Stark Law umbrella:

1. Employment and part-time employment
2. Call coverage
3. Joint ventures
4. Co-management and gainsharing
5. Acquisitions of practices
6. Technical contract details
7. Whether hospitals should self-report or not
8. Special ancillary arrangements
9. Medical directorships

Mr. Becker noted that about 50 percent of physicians are employed by hospitals and about 80 percent of physicians have financial relationships with hospitals. "Of that 80 percent, there is certainly some percentage [that have] financial relationships where no one will admit it, but things are aligned for referrals," said Mr. Becker.

For example, Mr. Becker said there are generally two types of co-management agreements. In the first, a hospital goes to physicians with a core purpose behind the co-management or gainsharing, whether that is to improve quality, throughput, certain reporting measures or meet another real need. The second kind involves hospitals coming to attorneys and saying they want to gain profits or improve their ties to physicians through co-management or gain-sharing arrangements, and they need a formula to do so because there isn't a firm purpose. "The first kind is completely legal, the second kind is trying to get money," said Mr. Becker.

2. False Claims Act
"You used to hear about False Claims cases every once in a great while," said Mr. Becker. Most were pharmaceutical cases, and most were based on improper billing. He also said 10 years ago, it was easy to look at recent cases of healthcare fraud and identify a bad intent or bad actor. Many cases were egregious and severe.

Under the Patient Protection and Affordable Care Act, if hospitals have a kickback or Stark Law violation, the law automatically categorizes claims resulting from the allegedly improper relationships as false claims. "In the old days, your audit risk was somewhat limited," said Mr. Becker. "The government either came after you or not. If you're a good actor that made some mistakes, you'd find some reasonable settlement."

Now, many settlements and self-reporting may not be signs of "bad actors" but sloppy documentation. "Often under Stark Act, every relationship has to be in writing. You might pay someone call but you don't have it documented correctly. A lot of things are technical violations." Now, more large settlements result from self-disclosure to the government. Whistleblowers are also bringing suits forward regarding how — not whether — services were provided.

"Over the last decade, people have started to bring False Claims suits not about [billing for a service that wasn't performed,] but that an improper payment arrangement led to the provision of the service," said Mr. Becker.

Settlements for False Claims cases can be in the millions, even if for technical errors. The cost to fight a False Claims case and the potential damages are so great — often times in the billions — that hospitals and systems will often settle for several million. "By deputizing the whole world, the False Claims Act doesn't have just the government going after you. Anyone can come after you based on it. You need as strong a record internally as possible," says Mr. Becker.

Ms. Bushee discussed recent actions under HIPAA. "It's helpful to review enforcement actions," said Ms. Bushee. "It shows what areas the Office for Civil Rights is really focusing on in [HIPAA] enforcement. Here we see a focus on complying with security requirements."

February 2011: Massachusetts General Hospital in Boston was ordered to pay a $1 million settlement for the alleged loss of documents from a hospital's outpatient practice. The documents included personal health information for 192 patients.

July 2011: UCLA Health System was ordered to pay an $865,500 settlement for employees allegedly having unauthorized access to PHI of celebrity patients.

September 2012: Massachusetts Eye and Ear Infirmary in Boston was ordered to pay a $1.5 million settlement for the alleged theft of an unencrypted laptop, which included prescriptions and clinical information for 3,621 patients.

4. Compliance plans
Ms. Carnell closed the panel presentation by discussing seven key actions hospitals and healthcare providers should take to ensure their compliance plans are comprehensive and effective.

1. Perform regular internal audits.

2. Implement compliance standards. "This is having a real program with real standards, not a dusty binder on a shelf," said Ms. Carnell.

3. Designate a compliance officer. That compliance officer should be in all key meetings.

4. Conduct training and education. "Training should not be the initial hire and updates maybe once a year or for a new legal program. I like to put compliance reminders on clients' calendars," said Ms. Carnell. "Create a living, breathing program."

5. Respond correctly to potential compliance issues. "The person who comes forward with a compliance problem will be the first witness in a government investigation," said Ms. Carnell.

6. Open lines of communication. Every employee should feel as though they can be honest with and communicate openly with their managers or compliance. Employees should not fear retribution when reporting legal concerns.

7. Enforce disciplinary standards with guidelines.

Copyright © 2023 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars