Doctors, nurses, hospitals and other health care providers, should know that the pandemic has not deterred federal or state authorities from prosecuting false claims, HIPAA and other types of enforcement actions in Connecticut. October began with John Durham, the United States Attorney for Connecticut, announcing two settlements in cases involving allegations of federal and state False Claims Act improprieties and, by mid-month, State Attorney General William Tong’s office had announced that Connecticut along with 27 other states had settled a multi-state data breach investigation against Community Health Systems, Inc. (“CHS”), one of the country’s largest operators of acute care hospitals.

Finally, on October 30, 2020, Mr. Durham’s office, in cooperation with Connecticut DEA and state Department of Consumer Protection-Drug Control Division agents, announced that a Connecticut APRN had pled guilty to unlawful distribution and dispensing of controlled substances for writing Oxycodone and Xanax prescriptions outside the scope of her professional practice and not for legitimate medical purposes.  Clearly, while federal and state regulators – like the provider community — have been consumed by the dramatic changes to the health care system that have occurred since March, that does not signal a free pass on compliance matters.

One of the false claim settlements  involved a dentist and his dental practices who was alleged to have submitted claims for dental restoration services that were not provided or were not medically necessary and x-ray services that were provided by individuals not properly certified to take x-rays. That case resulted in an agreement to reimburse the Medicaid program $300,000. The other case involved a drug and alcohol counselor and his behavioral health practice alleged to have submitted billings for services provided by unlicensed personnel. That action resulted in an  agreement  to reimburse the Medicaid program $230,000. In both actions, there was no admission of liability by the defendants.

The restitution amounts involved in both matters are small when measured against the amounts sought in coordinated nationwide enforcement efforts described in US Attorney Durham’s announcements. According to his announcements, the United States Department of Justice (DOJ) has its sights on more than 300 defendants in criminal and civil cases across 51 federal districts, including more than 100 doctors, nurses and other licensed professionals and more than $6 billion in false and fraudulent claims to federal health care programs and private insurers.  In fiscal year 2019 alone, the DOJ stated that it has recovered $2.6 billion in matters that involved the health care industry.

Meanwhile, on the HIPAA front, the multi-state settlement with CHS impacted 6.1 million patients across the U.S., including 4,746 Connecticut residents whose names, birthdates, social security numbers, phone numbers and addresses as patients were exposed even though CHS did not own, operate or lease any hospitals in Connecticut at the time of the breach.  The settlement calls for CHS to make a collective $5 million payment to the states impacted and implement a comprehensive security program to better safeguard the personal information of patients, including protected health information (“PHI”).   

Besides remaining vigilant to enforcing privacy and security rules within their health care organizations and otherwise ensuring that their compliance programs are not neglected during the pandemic, Connecticut providers should continue to train personnel to avoid the types of preventable errors that we commonly see as leading to overpayment recoveries by Medicare, Medicaid and commercial insurance programs as well as potential exposure to state and federal False Claims Act and other civil and criminal liabilities:

• Inadequate documentation to support the reasonableness and medical necessity of the service, including inattention to time-based codes and signature requirements;
• Failure to maintain necessary licensure or other credentials of personnel and appropriately document telehealth encounters;
• Inadequate supervision of mid-level practitioners as well as other ancillary service providers and inattention to scope of practice limitations;
• In drug prescribing and dispensing controlled substances and other drugs, failure to maintain records in conformance with DEA and DCP requirements, including inattention to checking the Connecticut Prescription Monitoring and Reporting System (CPMRS) database;
• Failure to check staff and vendors against government exclusion lists;
• Failure to timely investigate and return Medicare and Medicaid overpayments in violation of the 60-day overpayment rule; and
• Backdating patient records and, especially in investigations where there are allegations of upcoding, overreliance on electronic health record templates and “cut and paste” functions.

The bottom line is that all the disruption to health care services and the operations of many health care providers caused by the COVID-19 can’t lead to lax compliance efforts.  In fact, despite the CMS granting of blanket waivers concerning some aspects of the Stark and Anti-kickback laws, the HHS Office of Civil Rights relaxing some HIPAA requirements and a host of moratoriums involving the licensure of facilities and out-of-state providers at the state level, these efforts need to be emphasized and enforced with even more vigilance than was the case pre-pandemic.

[View source.]