Health care organizations are facing an unprecedented increase in liability risk as government agencies aggressively use the False Claims Act (FCA) to enforce the exhaustive and complex regulations governing insurance programs.

Under the FCA, government agencies are empowered to seek civil and criminal penalties to redress false claims for federal money or property, such as Medicare benefits. The government’s unrelenting enforcement led to its second largest annual recovery of $3.8 billion. This marks the fourth straight year of recoveries exceeding $3 billion.

In light of the government’s emphasis on enforcement of the FCA, health care organizations participating in Medicare, Medicaid or other government-sponsored insurance programs must take steps to develop their enterprise risk management programs to address this evolving exposure.

Growing Scrutiny

With health care reform a top priority under the current administration, the government continues to execute the aggressive strategy put in place four years ago to combat health care fraud and abuse.

The National Health Care Anti-Fraud Association conservatively estimates that at least 3 percent of health care spending is lost to fraud. The Institute of Medicine estimates that, in one year, the U.S. health care system wasted $750 billion on unnecessary and overpriced medical tests and treatments, administrative fees, medical fraud and missed prevention opportunities.

Results of these investigations, amongst countless other private and government sponsored studies, have led to considerable resources being dedicated to support new anti-fraud efforts. The Patient Protection and Affordable Care Act, for instance, provides $350 million in new funding to fight fraud and abuse over the next 10 years.

To support the Office of Inspector General (OIG) and the Department of Justice (DOJ) in their efforts to crack down on fraud and abuse, other recent anti-fraud enforcement initiatives include the creation of the Health Care Fraud Prevention and Enforcement Action Team, formed in 2009, and the Medicare Fraud Strike Force, launched in March 2007.

However, perhaps the most aggressive initiative was the Centers for Medicare and Medicaid’s passage and expansion of audit programs. Run by third party contractors, the auditors’ sole purpose is to identify, correct and collect improper overpayments.

Since its national roll-out in 2010, the number of targeted organizations and medical records reviewed by Recovery Audit Contractors (RAC) has dramatically increased, according to an American Hospital Association RACTrac survey. For the first six months of 2013, nine out of 10 hospitals reported experiencing RAC activity. Since the fourth quarter of 2012, medical record requests have increased by 47 percent, which makes it worth noting that RAC compensation is directly tied to recovered funds. In a recent hearing, a senator noted that the relatively high rate of successful provider appeals — about 50 percent — “raises questions as to whether RACs are being too aggressive or do not understand current medical practice.”

In addition to RAC audits, health care providers also face the possibility of audits by Zone Program Integrity Contractors and Medicaid Integrity Contractors.

Whistleblowers Encouraged Under the FCA

The False Claims Act also encourages whistleblowers, under its qui tam provisions, to expose an organization’s fraudulent practices. The qui tam provisions permit private parties to file suits seeking recovery under the FCA on behalf of the United States.

In qui tam actions, the whistleblower receives between 15 percent and 30 percent of the recovery. In 2013, the Justice Department saw 752 qui tam suits filed, and recovered a record $2.8 billion in suits filed by whistleblowers.

Billions of dollars have been collected under the FCA. The government’s unrelenting enforcement led to recoveries of more than $5 billion in 2012 and another $4.3 billion in 2013, with recoveries for health care fraud totaling more than $6 billion. Recoveries dating from 2009 to 2013 totaled $17 billion.

In addition to forfeited payments, those found to have violated the FCA could also be subjected to significant damages and per-claim penalties between $5,500 and $11,000.

Recent settlements include:

• A South Carolina nonprofit hospital system was ordered to pay $273 million to resolve violations of the FCA and the Stark Law. The jury found the system entered into employment agreements with physicians that were not consistent with fair market value or commercially reasonable.
• A Florida dermatologist agreed to pay $26.1 million to settle allegations that he accepted kickbacks from a pathology laboratory and billed Medicare for unnecessary services. The settlement is one of the largest ever involving an individual under the FCA.

The cost of a FCA action, however, goes beyond damages and penalties. Senior executives may even face criminal charges as a result of the investigations, and publicity from a FCA case can harm an organization’s credibility and reputation. These costs can even put an organization’s future into question.

A Proactive Risk Management Strategy

It’s important that in-house counsel, risk managers and compliance teams work together to develop a proactive enterprise risk management strategy to mitigate these exposures.

One important loss mitigation strategy should be to develop a comprehensive self-audit program, inclusive of a dedicated audit team and compliance committees to oversee the audit process. Recent guidance from the OIG suggests that an organization’s compliance program should also include the following:

• Conducting internal monitoring and auditing
• Implementing compliance and practice standards
• Designating a compliance officer or contact
• Conducting appropriate training and education
• Responding appropriately to detected offenses and developing corrective action
• Developing open lines of communication
• Enforcing disciplinary standards through well-publicized guidelines

Providers who wish to voluntarily disclose self-discovered evidence of potential fraud to the OIG may do so under the OIG’s Provider Self-Disclosure Protocol. Self-disclosure gives providers the opportunity to avoid the costs and disruptions associated with a government-directed investigation and civil or administrative litigation.

As part of their risk management strategy, providers need to understand the importance of a comprehensive insurance program and how insurance can help them work through the difficulties of FCA related matters.

Management liability insurance policies, specifically D&O policies, typically provide some level of protection against FCA liability, but it is essential that health care organizations ensure they have explicit and state-of-the-art coverage.

From RAC, ZPIC and MIC audits, to litigation filed by whistleblowers or the Department of Justice, health care providers are operating in a new risk environment. By implementing a proactive enterprise risk management strategy, health care providers can reduce the potential for damaging losses.