Chris Eades: Hello, and welcome to Hall Render’s Practical Solutions in Healthcare Podcast. This episode is part of our ongoing series called Critical Considerations for Virtual Care and we’ll be focusing on considerations for fraud and abuse.

My name is Chris Eades. I’m a shareholder here at Hall Render and a member of our firm’s virtual care team. I am joined today by one of my fellow shareholders, Ritu Cooper. Ritu is a service line leader in our healthcare compliance group, and she has particular experience with healthcare compliance related investigations, disclosures, and related matters. So really the perfect person to have available today to speak to these issues. Ritu, before we dive in, could you maybe tell us a little more about your individual practice?

Ritu Cooper: Oh sure, Chris, thanks. And thanks so much for inviting me to join you today. I’m thrilled to be able to talk to you about this topic. So yeah, as you said, I co-lead the compliance service line. I work primarily with large hospitals and health systems, large physician practice groups. I have some clients that are kind of other, that fit in that med device type space or med device adjacent. But with all of the clients, the work I do is compliance related and related to compliance with fraud and abuse laws, like Stark and Kickback and Civil Monetary Penalties laws, anything that really talks about referral sources and physicians.

As of late, probably in the last four or five years, I’ve done quite a bit of work with clients that are under CIA’s, corporate integrity agreements, and help manage all of the requirements that they need to comply with. So with that, I end up splitting my time working with compliance officers and with legal counsel. I sometimes look at myself as kind of that liaison between the two, there’s oftentimes, with a client, I might be engaged by both offices for very different projects.

Chris Eades: Perfect. So let me set the stage here a bit for our conversation today. We’ve seen a lot of headlines regarding the potential for fraud and abuse in relation to the provision of virtual care. And it’s a bit of an interesting dynamic because we saw these headlines and we saw some of these concerns well before COVID-19. The potential for fraud and abuse through virtual care was often cited, I think along with the concern for unnecessary spend as a reason maybe not to expand virtual care services, or at least facilitate expansion through just some more relaxed regulation and payment rules. And then of course, when that pandemic hit, there was just the need for virtual care, and we had to put aside some of those concerns, increase the flexibilities, and allow for the provision of care through virtual care as we’ve seen.

And so, at this point, as we ease out of the pandemic, it’s an interesting dynamic because the genie is out of the bottle, so to speak, in terms of the benefits of virtual care. It’s been used, there are lots of studies that demonstrate that it’s in demand and will continue to be in demand, that many providers want to be able to use virtual care. But we’re now starting to see and hear the same sorts of concerns that we saw pre-pandemic, and those include the concern for fraud and abuse.

And so even just a few weeks ago, the US government’s Accountability Office issued a report and highlighted, as part of that report, concern regarding fraud and abuse. One of the quotes from that report was, “Both the Medicare and Medicaid programs are on the GAOs high risk list in part due to concerns about fraud, waste, and abuse, the increased program spending, the lack of complete data, and suspensions of some program safeguards increase these risks.”

So it seems to, once again, be front and center, we’ve seen also the US Department of Justice make it very clear that the DOJ will be looking for fraud and abuse in this arena, and those individuals that do try to take advantage of some of those flexibilities, we’ve even seen headlines, again, just a few days ago, where the DOJ announced criminal charges against 14 telehealth execs who were alleged to defraud Medicare. So has been, it continues to be kind of front and center here as we talk about virtual care. So, with that in mind, Ritu, what’s your initial take on fraud and abuse in this arena, do you see this as an area that is ripe for abuse, and if so, why?

Ritu Cooper: Oh, absolutely, Chris. I mean, for all of the reasons that you’ve said. In fact, I was doing a presentation with someone from the DOJ and OIG for AHLA back in the fall, and on the day that our presentation aired, they announced one of the biggest investigations that was alleging fraud and abuse in the telemedicine space. There was also opioid as well, but I mean, there were 86 different providers, physicians, nurses, et cetera, that were even indicted, I mean, for anti-kickback type violations. And they alleged that there was, I think, $4.5 billion in claims related to telemedicine. And it was that there were unnecessary services that were provided, they were providing testing like genetic testing and various things via telemedicine, they were providing pain medication to patients they had not even seen ever in person, barely even talked to them via a platform, some of it could have been even very, very brief telephonic conversations.

So, in preparation for that, they didn’t tell me that it was going to drop the day that our presentation aired. But when we were preparing, they were talking about how, just like you said, pre-pandemic, this was an issue, and definitely a heightened area of focus because all of a sudden we needed to be able to provide telehealth services. Very, very quickly. Whereas we had clients before and, Chris, you and I have worked with a number of clients where they’re contemplating and thinking about it, and then once we kind of tell them all the things they need to think about, they kind of shied away from putting a program together. But all of a sudden last March, all of our clients said, “Oh, I know I said it was hard, but now I have to, so let’s figure it out.”

And so I think that this area in particular, because from my vantage point, even though hopefully this pandemic will end soon, I don’t think telemedicine is ever going to end. I mean, it was an area that you saw years ago that was starting to come into focus. Now that it’s here, I think that we’re only going to be looking at ways to enhance the services that are provided while still trying to figure out how to fit within this fraud and abuse landscape.

Chris Eades: So Ritu, for the benefit of the audience here who may have different levels of familiarity with these rules and regs, let’s step back, and can you maybe highlight for us the primary laws or regulations that we’re even talking about here really in the context of fraud and abuse?

Ritu Cooper: Sure. I think the first one that I think is important to understand, and then the other two fall into place, is the False Claims Act. So all of these cases, or most of these cases come forth to the government based on their belief that there was a claim that was submitted to the government that was false in some way. And that’s the False Claims Act.

The vehicle that they use to claim that something was false was that you violated the Anti-Kickback Statute or the Stark law. And the Anti-Kickback Statute says that you cannot knowingly solicit or receive a kickback for referral of Medicare business or Medicaid business, any kind of federal health care program business. And so, that law is very, very broad, it doesn’t apply just to providers, to physicians, it applies to anyone who could be a referral source. So you may see pharma and device companies, anyone else, pharmacists, anyone else could fit into that mold for anti-kickback as someone who can be a referral source.

The Stark law, however, is a little bit more narrow. It’s strict liability, there’s no knowledge or intent that is required, it’s either you meet an exception or you don’t meet an exception. And the Stark law says that if you are a physician who has a financial relationship with a DHS entity, so it designated health services entity, like a hospital, which is probably primarily what we’re talking about today, you then can not refer patients to that entity unless you meet an exception. And then each of the exceptions have seven or eight different elements, and you must meet all of those elements in order to be able to be protected from any kind of Stark liability.

Chris Eades: So Ritu, what are the potential consequences here for a health system or a hospital provider that fails to comply with these provisions that you’ve talked about?

Ritu Cooper: So under each of the laws, both the Anti-Kickback Statute and the Stark law, they have their own civil monetary penalties per claim, and they range from 15 to 20,000 or something like that. But that’s not where the big dollars are. The big dollars really come from a potential of a False Claims Act case where those claims are anywhere from 11 to $22,000 per claim. And on top of that, a potential for treble damages. And what the government says is that every claim with that physician during the time period where you did not meet an exception is what is at stake. So you’re looking at millions and millions of dollars of potential liability.

In addition to that, you also are liable for returning any money that you charged the government potentially. And then under the Anti-Kickback Statute, there is a potential for criminal penalties. So you could get up to 10 years in prison. Added to that, in 2015 through the Yates Memo that came out, the government has had a heightened focus on individual liability. And if you read what has come out of the government since 2015, which is so hard to believe that that was six years ago, they said, “Well, we’ve always cared about individuals, and we’ve always cared about those bad actors within an organization who might have been putting forth the scheme or the arrangement that doesn’t comply with the law.” But what came out in 2015 was that these individuals could no longer be indemnified by their organization and that individuals would have to pay and be held accountable on their own.

And so I think, don’t want to quote the number because I haven’t looked at it in a couple of months, or maybe even since last year, but I think there were over 50 or 60 individual liability cases since 2015. The first one came out in 2016, one year later after the memo came out. So you’re looking at even individuals facing issues where their company, their organization can not protect them as well.

Chris Eades: So significant consequences obviously, and the need to avoid those scenarios. Let’s maybe talk more generally about actions that should be taken by providers to avoid those scenarios. I mean the False Claims Act, Stark, Anti-Kickback, broader concepts, of course, than just virtual care. So let’s start more generally, Ritu. What does a healthcare organization or provider need to have in place to assist, to avoid a fraud and abuse scenario?

Ritu Cooper: So the biggest thing that the government looks at is whether an organization has a compliance program in place. So what the government feels is that if you have a compliance program in place and you’ve instructed the entire organization that compliance is important to you and educated on that, then you will be able to protect the organization.

So the OIG came out with guidance starting in 1998, and now I think there’s 13 different documents out there, but all of them center around the seven elements of an effective compliance program. So you need to have compliance administration. So someone in charge of the compliance program, maybe a committee that helps them, that represents a cross section of the organization, as well as the board that understands that they have compliance oversight over the organization.

Number two is to have policies and procedures in place specific to compliance in general, and then also specific to the various areas within the organization that might be impacted that have requirements from the government. The third is to have a hotline so that if any issues come forward, then the employees within the organization can bring them forward in the compliance department can follow through.

Number four is education and training, and is making sure that people are educated and understand the policies that they need to follow, as well as the laws externally. Number five is there is a robust auditing and monitoring program in place, and what that means is conducting a risk assessment, putting together a work plan where you’re focusing on the areas that you need to. We know that there is no organization that can look at 100 things in a year. So you really need to focus and narrow in on, “What are we doing that could be high risk?” And then paying attention to that throughout the year.

Number six is having appropriate disciplinary policies that state that, “We take compliance seriously and if you do not comply, or you do not help with internal investigations or bring things forward that we know that you’re aware of, then there will be consequences.” And those consequences are equal no matter what your level is, whether you’re the CEO of the organization or you’re working in the filing room. And last but not least is once you’ve conducted investigation and you’ve conducted it promptly, you’ve put corrective actions in place to make sure that your corrective actions are working as well.

Chris Eades: Ritu, thanks for that. I think that’s helpful information and probably a good segue into then discussing legal compliance more specifically in the virtual care arena. And I’ll just speak just for a moment here in terms of what I’ve seen. And what I’ve seen, I think was much of the obvious, which is the majority of providers out there needed to ramp up very quickly with respect to virtual care. When the pandemic hit we needed a different way to provide services, virtual care was available. And so the focus necessarily was converting to that modality in terms of the provision of services.

We’re at a point now as we ease out of the pandemic where the focus is more on, “Where do we go next? Do we want to continue to provide all of the same services through virtual care that we have been? Can we do that? And then how do we do that?” Because the regulatory landscape is quite complex and always changing. And so that seems to be most of the focus, at least in terms of what I see.

What I have not seen a lot of is what is our structure for legal compliance specific to virtual care? You had mentioned the core elements of a compliance plan, and one of those elements involves an audit function, a work plan for, “How do we ensure that we are avoiding these fraud and abuse scenarios, and we are vetting for ongoing legal compliance?” And so, I do see this as an area that has been lacking. And understandably so, again, the focus needed to be on, “Let’s get through this pandemic and provide the necessary services.” But we are at a point where I think it’s very important, as we look the next steps, to ensure legal compliance with respect to virtual care services. And I am seeing that there’s a delta there, that we need to play some catch up, and wrap our arms around this. What have you seen, Ritu? Are you seeing the same? Have you seen different?

Ritu Cooper: No, I think you’re exactly right. I mean, I think anyone who had telehealth before the pandemic, they were thinking about it, but it was very, very few. Now we’ve seen… I can’t think of a client or a provider that isn’t providing some kind of telehealth services, but I will tell you, I rarely see that coming through the compliance department or being something that’s evaluated.

Chris Eades: So let’s focus on that piece then, Ritu. So recognizing kind of the general concepts that you outlined for a viable compliance plan, what more specifically should be considered as part of a plan to avoid fraud and abuse in the virtual care arena?

Ritu Cooper: No, that’s a really good question. So I think the first thing is that compliance can not help with anything if compliance is not aware of what is going on. And that’s why number one, in that element number one where you have someone who’s in charge of the program but there’s also a committee, you want to make sure that that committee really does represent the cross-functional departments of the organization. And you need to have high level folks that are on that committee.

Compliance may not be aware of that all of a sudden we’re providing telehealth services, or we’re providing telehealth services at an exponential level before the pandemic. So those ideas or that information would come through compliance through that committee. And then let’s say that the person who is in charge of the telehealth program is not there on the committee, well, you always can add people to the committee. So that would be number one, is to make sure that we have the right people who are thinking about it.

The second thing would be, is let’s put together some kind of policy, or procedure, or something that describes the program that’s being put into place and describes all of the little areas where we might need to audit, or monitor, or check. The third thing would be the work plan and the risk assessment. So, one thing if you’re not familiar with risk assessments is what a lots of organizations do is they throw out surveys to a cross section of the organization, asking them questions about different areas to see if they are compliant.

So, for example, you might send a survey out to your real estate group asking them questions that track the real estate exception under Stark and Kickback. So do you enter into arrangements with physicians? Are they in writing? Do you have a fair market value assessment, et cetera. Telehealth is not one of those risk assessments that we normally see because it’s something that was rare pre pandemic.

So I would suggest working with the operational individuals who have put together the telehealth program to understand all the elements of the program, put a risk assessment together, and then put a risk assessment questionnaire together, and then send that out to the folks that are actually implementing the telehealth program to get their take on, “Are we meeting all of those requirements that we need to be meeting?” You might even need to have legal involved in putting that together as well because there could be other requirements that maybe even the operations folks might not be aware of.

And then once you get the answers back from that, and then you see how much telehealth you’re providing, more likely than not you’re going to identify that as a potential risk, not that we’re saying that you do anything wrong, but in an area that you might need to have more auditing and monitoring, you put that on the work plan, and then in the next year, you audit and monitor that.

And then all of the other elements kind of fall into line. So if you have a policy, you educate on the policy, you may see questions come in through the hotline, then you want to know how to answer those questions. If you conduct an investigation, you may want to put corrective actions to place if you realize that you’re not doing something accurately, and put those in place fairly quickly. So all seven of the elements can be touched on, but those three would probably be my main ones to focus on.

Chris Eades: Thanks Ritu. That’s really helpful. And it dovetails with my own observations with respect to virtual care. And I’m glad you mentioned the structure and the way that you did because one of the challenges here seems to be being in a position to vet the different angles here. And to be in a position to hear from providers maybe that want to offer new services through virtual care. As I view it, you need your kind of legal piece to this, your compliance piece. There’s certainly the business element to this in terms of what we want to do with virtual care. And then there’s the clinical piece to this. We can’t use virtual care for everything, we’ve got to be able to meet the standard of care that would be applicable to an in-person service.

And so to your point, I think your structure that needs to be in place does need to include a composition that hits on all of those elements and communication among those individuals will be key. And then I think that structure then is in place not only to vet for what’s happening today, but where do we want to go tomorrow? Where can we go tomorrow? And then going back to the elements you mentioned, really incorporating education as a component here. We’re providing the same clinical services maybe, but we’re doing it in a very different way, or at least virtually, so we’re delivering care in a different way. And there are different rules in play than would otherwise be applicable to an in-person service. And so, education of providers is really going to be important here.

As to your point on the compliance plan, I agree. We need to have a work plan that’s specific to virtual care. That work plan itself may not capture everything, but minimally, depending upon the size scope of the care you’re providing, but minimally should establish guardrails in terms of the core components, where are we providing these services? In what states? Where’s everyone located? What do the medical record requirements look like in each of those jurisdictions? What are the consent requirements? What are we comfortable prescribing or not prescribing through virtual care? The compliance work plan, we should be able to nail down some of those essential guard rails even if maybe we’re going to develop this through our structure more specifically in service lines or within departments, et cetera.

And then lastly, to your point on the audit functions, I think there too we’ve got to think about this a little bit differently. We may want to do the same type of oversight and audit that we may need to, but it may look a little different and there may be some different considerations. If we’re going to observe providers for example, or retrospectively review or audit records for billing compliance, there will be different rules in play. And we may need to go about doing this a little differently. I mean, in terms of proctoring a physician, for example, maybe a new physician for ongoing quality review, that’s going to have to happen differently because it’s a virtual encounter.

And so I think some of the same concepts, but being deliberate in terms of how are we going to get that done? And then are there any other related consequences? If we’re going to use a video recording of a patient interaction, for example, and we’re going to audit that video recording, what does that mean from a medical record standpoint? Do we need to maintain that recording go forward? Does it become part of the designated record set somehow? Do we need a particular patient consent to use the recording?

So I think there are a lot of same concepts in play in terms of what we need to do, but we need to think about those a little differently in terms of, A, there are different rules that may be applicable, and B, there may be some consequences there in terms of what we need to accomplish. So Ritu, I think great thoughts and certainly what I’m seeing, like I said, dovetails, I think, very much with what you mentioned.

Let me kick it back to you, Ritu, do you have final thoughts maybe, or any additional thoughts for those providers out there or entities in terms of what they need to be thinking or doing from a fraud and abuse standpoint with respect to virtual care?

Ritu Cooper: I think, Chris, the biggest thing is making sure that you have the right players involved as you are starting the program and then developing the program. I think that if you have compliance and legal at the table as you’re putting it together, you can probably catch some of those issues that you’ve just discussed before they might be problematic. And I think also then if those two departments are involved at the outset, they will be able to better help with the development of policies and procedures and those risk areas and auditing plans because they’ll understand the structure at the beginning as opposed to being tossed at the end.

So I think for those who may not have done that, all is not lost. But as you said now we’re talking about, “Okay, this is what we’ve done in the pandemic.” Kind of fast and dirty, but now we’re going forward and trying to set up this long-term plan, and if we could make sure that we’re thinking about the different issues that might come up from a Stark and Kickback perspective, and make sure that there’s also other issues, there’s licensure issues. I mean, there’s so many things beyond just Stark and Kickback that we need to think about, and our e-prescribing, our medical record, just like you mentioned, if we’re thinking about those at the beginning, we might even be pulling other people in place, we might need to be talking to our it vendor as well, or a medical records vendor, or whoever we’re working with also to make sure that we’re protecting the entire program.

Chris Eades: Ritu, thank you for your time and insight today. To our audience, thanks for joining us today. If you or your organization have any questions or topics you would like to share with us, please certainly contact us. You can do so via our website at hallrender.com. Certainly reach out to me at ceades@hallrender.com. Or Ritu, particularly if you have questions regarding legal compliance or fraud or abuse issues, please reach out to Ritu at rcooper@hallrender.com. Either Ritu or one of the other attorneys in that practice group will be happy to assist. Please remember, as always the views expressed in this podcast are those of the participants only and do not constitute legal advice. Thanks so much for joining us today.