This year will see a continued proliferation of enforcement against health-care fraud, with old and new theories. Some hot spots for enforcement will involve cases about new technologies; data outliers; entities perceived as exploiting ambiguous requirements; patient data safeguards; allegations of kickbacks, lack of medical necessity, and services not provided; and Covid-1 9-related cases.
Some types of entities seem particularly vulnerable to enforcement these days: companies operating in the managed care space, digital health providers, telemarketers related to health-care services, innovative labs and diagnostics companies, pharmaceutical companies, nursing homes, hospice providers, and companies owned by private equity.
For each hot spot, there are actions entities can take to reduce exposure.
New Technologies
Technologies such as those using artificial intelligence, digital medicine, or remote patient monitoring present novel compliance challenges, which in turn draw enforcement attention.
The Biden administration in October issued an executive order directing agencies, including the Department of Health and Human Services, to develop plans for responsible AI use.
Health-care industry participants can’t let the excitement of deploying technological advances outpace their compliance programs.
Data Outliers
The federal government and many states have devoted extensive resources to data mining and are getting better at identifying outliers based on several metrics, including provider prescribing tendencies, diagnosing habits, and use trends.
Those with the greatest risk of exposure from data mining are providers of health-care services, entities operating in the managed care space, and pharmaceutical companies. Being an outlier can subject companies to civil liability or criminal legal exposure.
Providers with the resources to do so may consider data mining on their own to get ahead of any potential outlier trends. Once outliers are identified, a thoughtful approach and an internal investigation may be warranted, as being an outlier doesn’t necessarily mean there has been fraud and because course-correcting any misconduct is better accomplished sooner than later.
Perceived Exploitation
To operate in the health-care industry is to face a labyrinth of rules, requirements, and directives. Underlying legal requirements are often less than clear, and questions arise about whether a defendant can have fraudulent intent—for instance, under the False Claims Act—when the defendant has misinterpreted an ambiguous directive.
Defendants have historically argued that if a requirement is ambiguous, and there’s a reasonable, but incorrect interpretation of the ambiguous requirement that would render the defendants’ conduct acceptable, they can’t have the requisite scienter under the False Claims Act.
The US Supreme Court ruled in 2023 that an ambiguous requirement doesn’t excuse a provider’s noncompliance.
It held that what matters for the purposes of scienter under the False Claims Act is the provider’s interpretation of the requirement, and that if the provider knew of a substantial and unjustifiable risk that its claims could be false, that was sufficient to meet the intent requirement of the False Claims Act, regardless of any ambiguity in the underlying legal requirement.
To help combat allegations of fraudulent intent that may later surface, entities may consider creating contemporaneous, non-privileged records regarding the reasoned basis for their interpretation of any potentially ambiguous requirement.
Patient Data Safeguards
There are many reasons for enforcers to increase their focus on health privacy. These reasons include fast-moving AI development, growing sophistication of cybercrime schemes, the expansion of telemedicine, and marketability of patient data.
Even reckless disregard for the security of patient information can result in fraud risk exposure, and providers should be careful to safeguard patient data and to use new technologies and AI carefully and responsibly.
Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative, inaugurated just two years ago, is still in its nascent phase in search of new targets. Pursuant to that initiative, the Department of Justice seeks to hold accountable those who put information or systems at risk by providing deficient cybersecurity products or services, misrepresenting cybersecurity practices or protocols, or violating obligations to monitor and report incidents and breaches.
As new technologies are implemented and deployed, companies should pay close attention to responsible safeguarding of patient data and appropriate reporting of breaches.
Kickbacks, Medical Necessity
We expect the steady clip of kickback allegations in a variety of contexts, and allegations related to kickbacks, lack of medical necessity, and services billed but not provided, to continue as ever. Our advice on this one? Don’t forget compliance basics.
Covid-19
We haven’t seen the end of pandemic relief fraud cases, cases related to Covid-19 testing kits, and cases related to purported treatments. When concerns are raised in any compliance area, an internal investigation and a related consideration of self-disclosure, where appropriate, should be considered.
The Covid-19 public health emergency is still very much on the mind of enforcers, and these issues remain well within statutes of limitations for fraud claims.
Looking Ahead
Health-care enforcers and their resources are plentiful. The Department of Justice recently announced its plans to add more criminal health-care fraud prosecutors. Whistleblowers and their counsel are creative at asserting liability across a host of scenarios.
To greatly reduce the risk of health-care fraud exposure, companies should ensure they’re dedicating appropriate resources to robust compliance programs that work on paper and in practice. It’s imperative that they vet business practices against the legal and enforcement environment. Health-care compliance is complex, and enforcement will continue to be red-hot.
This article originally appeared in Bloomberg Law. Reproduced with permission. Published January 2, 2024. Copyright 2024 Bloomberg Industry Group 800-372-1033. For further use please visit https://www.bloombergindustry.com/copyright-and-usage-guidelines-copyright/.