Introduction

On February 12, 2016, CMS published a final rule addressing compliance with Section 1128J(d) of the Social Security Act. Section 1128J(d), which was added when the Affordable Care Act was enacted on March 23, 2010, imposes a requirement on providers and suppliers receiving funds under the Part A and Part B of the Medicare program (Medicare) to report and return overpayments. Specifically, it provides that an overpayment must be reported and returned by the later of (i) the date that is 60 days after the date on which the overpayment was identified or (ii) the date any corresponding cost report is due, if applicable. The retention of an overpayment after these deadlines creates an “obligation” for purposes of potential liability under the federal False Claims Act (FCA). See 31 U.S.C. § 3729, et seq.

On February 16, 2012, CMS published a proposed rule to implement Section 1128J(d). Following receipt and consideration of substantial comments, CMS issued its final rule to revise and clarify the statutory requirement to report and return self-identified overpayments. CMS’s final rule will become effective on March 14, 2016. The following revisions and clarifications by CMS are noteworthy.

The New Rule’s Provisions

The Identification of an Overpayment

In the wake of the passage of Section 1128J(d), uncertainty ensued concerning what it means to identify an overpayment, thereby triggering the clock on the requirement to make repayment. This concern was heightened on August 3, 2015, when a federal judge in the Southern District of New York issued the first judicial interpretation of the 60-day repayment rule in an FCA action based squarely on the defendant’s failure to repay a Medicare overpayment. U.S. ex rel. Kane v. Healthfirst, Inc., No. 11 CIV. 2325 (ER), 2015 WL 4619686 (S.D.N.Y. Aug. 3, 2015) [PDF]. The judge held that the date on which an overpayment was identified occurred when the provider was first put on notice of the possibility that an overpayment existed. In that case, this was the date that the provider first received an email from a then-employee listing claims that may have been billed improperly, even though the email also contained a statement that further analysis would be needed to confirm.

The court’s pronouncement was understandably troubling to the health care industry. CMS’s final rule allays this concern somewhat by stating that an overpayment is considered to be identified when a provider or supplier has or should have, through the exercise of reasonable diligence, determined that it has received an overpayment and quantified the amount of the overpayment. In other words, mere notification of the possibility of an overpayment does not start the 60-day clock ticking on the requirement to make a repayment, but instead triggers an obligation to exercise reasonable diligence. Thus, CMS has clarified that identification does not occur until both an investigation and quantification of the amount have occurred. Although providing much needed clarity in one respect, the adoption of the standard “has or should have determined” there was an overpayment injects a new degree of uncertainty that providers and suppliers need to consider.

The Adoption of the Reasonable Diligence Standard

CMS amended the final rule to eliminate the phrase “all deliberate speed” as the benchmark of compliance and adopted in its place a fact-dependent reasonable diligence standard. CMS stated that reasonable diligence is demonstrated through the timely, good faith investigation of credible information, which CMS describes as information that supports a reasonable belief that an overpayment may have been received. The 60-day time period begins when either the reasonable diligence is completed, or on the day the provider or supplier received credible information of the potential overpayment if the provider or supplier failed to conduct reasonable diligence. The final rule clarifies that the failure to conduct reasonable diligence, standing alone, does not create liability. Rather, a provider or supplier must also have received an overpayment that it should have identified before liability can exist under Section 1128J(d).

CMS considers reasonable diligence to include both proactive compliance activities to monitor claims and reactive investigative activities undertaken in response to receipt of credible information. In this regard, CMS was unwilling to provide any additional caveats for providers with a “certified” or “approved” compliance program, or to distinguish between large and small providers and suppliers. Rather, consistency and reasonableness are the themes repeated by CMS that will guide its interpretation of providers’ and suppliers’ efforts to identify overpayments. There is no amount overpayment or provider too small to be captured under the final rule, as evidenced by CMS’s refusal to create a de minimis exception to the final rule.

The Time Within Which to Exercise Reasonable Diligence

One aspect of the reasonable diligence standard that warrants attention is CMS’s pronouncement that the standard is demonstrated by a good faith investigation, which is “at most 6 months from receipt of the credible information, except in extraordinary circumstances.” CMS stated that it chose six months as the “benchmark” for timely investigation because it believes that providers and suppliers should “prioritize these investigations and also to recognize that completing these investigations may require the devotion of resources and time.” CMS then proceeded to state that following the six month period to investigate, it considers two months to report and return the overpayment a reasonable amount of time, for a total of eight months absent extraordinary circumstances. Thus, while clarifying in the final rule that the statutory 60-day clock does not run until identification has occurred, CMS has injected another area of uncertainty in announcing and imposing timing requirements that do not appear in the statute or the regulation.

The Shortening of the Lookback Period

CMS had originally proposed a lookback period of ten years from the date the overpayment was received, in part recognizing a ten-year period as the outer limit of FCA liability. Many commenters objected to a ten-year lookback period and indicated that a six-year lookback period is more commonly used in the FCA setting and more appropriate for identification of overpayments. Further, because the FCA is a fraud enforcement statute and some overpayments are simply the result of errors and mistakes that do not rise to the level of fraud, a ten-year period would be overly burdensome and unnecessarily require providers and suppliers to adhere to a de facto ten-year record retention policy when most only hold records for six or seven years. Similarly, according to commenters, a ten-year period would expand their reasonable efforts to identify past overpayments and would increase sample sizes for investigating past overpayments and statistical extrapolation.

CMS agreed with these comments, and reduced the lookback period to six years. In so doing, CMS addressed concerns regarding whether providers and suppliers must look back beyond the three years covered in a Recovery Audit Contractor (RAC) audit that identifies overpayments. Consistent with the reasonable diligence standard in the final rule, CMS indicated that when a provider or supplier receives credible information of a potential overpayment, such as a RAC finding, they do indeed need to review such findings and determine whether they have received overpayments going back the full six years.

The lookback period of six years should be considered with the rest of CMS’s responses to comments as reflecting a general theme of reasonable diligence. A provider or supplier cannot ignore credible reports or findings of a potential overpayment in one year, and/or ignore the broader potential overpayments during the full six-year lookback period, where to do so would be unreasonable. Where the nature of the information requires investigation and reactive measures for the full six years, providers and suppliers cannot ignore their obligation to investigate.

The Final Rule is Not Retroactive

This final rule is not retroactive and a failure to comply with the specific requirements of the final rule prior to March 23, 2010, the effective date of Section 1128J(d), is not a violation of the statutory provision or the rule. However, beginning on March 23, 2010, providers and suppliers that had not already returned a particular overpayment were required to report and return such overpayment, even if the overpayment was received prior to March 23, 2010. Thus, for the time period between March 23, 2010 and the effective date of the final rule – March 14, 2016, providers and suppliers may rely on their good-faith and reasonable interpretation of the repayment requirements. For providers and suppliers reporting and returning overpayments on or after March 14, 1016, even if the overpayments were received prior to that date, the requirements of the final rule apply.

Effect on Self-Disclosures Pending With CMS

For overpayments reported through the CMS Self-Referral Disclosure Protocol (SRDP) prior to the effective date of the final rule, the six-year look period will not govern, including those which are still in the process of being reviewed by CMS. Providers and suppliers that made a good faith effort to comply with the overpayment requirements by reporting and returning overpayments through SRDP, which until now has used a four-year lookback period, are not expected to return overpayments from the fifth and sixth year through other means. Going forward, however, the final rule will govern. Relatedly, the Paperwork Reduction Act only authorizes CMS to collect financial analysis of overpayments that occurred during a four-year lookback period. CMS is currently seeking authorization to adjust the period to six years in connection with this final rule. Until then, providers and suppliers have no duty to provide such financial information from the fifth and sixth years, but may do so voluntarily through other means.

Other Noteworthy Points

• In circumstances where a paid amount exceeds the payment amount to which a provider or supplier is entitled, the overpayment is the difference between the amount that was paid and the amount that should have been paid. In the case of an overpayment resulting from a violation of the Anti-Kickback or Stark statute, or from goods or services provided by an excluded individual, the entire amount received is considered an overpayment.
• A single overpaid claim can trigger the obligation to investigate further to determine whether there are more overpayments on the same issue. Similarly, unusual trends in profits can trigger the duty to investigate.
• CMS reiterated that although the OIG Self-Disclosure Protocol tolls the 60-day clock, if negotiations stall or break down, providers and suppliers only have the balance of the 60-days to report and repay overpayments. CMS revised the final rule to clarify that the same rule applies to a failure to reach a SRDP settlement. In other words, a self-disclosure to either CMS or OIG does not reset the window, it simply tolls it.
• CMS eliminated the required use of the existing voluntary refund process that relied exclusively upon a Medicare contractor’s form for reporting overpayments, instead recognizing that additional processes could be used, such as the claims adjustment, credit balance, self-reported refund process, or other appropriate process to report and repay. Providers and suppliers also may request a voluntary offset from the contractor.
• For payments made through the cost reporting process, CMS explained that the “applicable reconciliation” is the year-end reconciliation of payments and costs to create the cost report. Overpayments should be returned at the time the cost report is filed. Overpayments identified after the cost report is filed, but before issuance of the Notice of Program Reimbursement, are subject to this 60-day rule, and must be reported (or the cost report amended) and timely returned. If the audit results in a repayment, the provider is responsible for reporting and repaying overpayments due for other years not covered by the audit (where the other years are affected by the auditor’s adjustments in the audited year).
• CMS eliminated the thirteen data elements listed in the proposed rule as requirements to be reported to a Medicare contractor with an overpayment, allowing for existing processes that do not always account for these data points. However, CMS reiterated that where the overpayment is extrapolated based on a statistical sample, the report must include an explanation of how the overpayment was calculated. Statistical sampling is not necessarily required, but providers and suppliers must calculate the overpayment in a way that is reliable and accurate.

Ober|Kaler’s Comments

CMS characterized the final rule as providing clarity and consistency for providers and suppliers on the actions they need to take to comply with Section 1128J(d), going so far as to describe the final rule as providing bright line standards to assist in compliance. While it is true that the final rule has provided some clarification, particularly with respect to the trigger of the obligation to make repayment, CMS has injected several fact-specific concepts and standards that create new uncertainty. Given this murkiness, combined with the possibility of exposure under the FCA, providers and suppliers should review policies and procedures governing the receipt, initial assessment, and investigation of complaints suggesting there may have been an overpayment by the Medicare program. Moreover, in light of the requirement to engage in reasonable diligence, providers and suppliers should maintain records that accurately and timely document the investigative process.