Rooting Out Fraud
On May 6, Florida-based Baptist Health System Inc. was the latest in a long line of organizations to resolve a federal lawsuit accusing it of violating the False Claims Act (FCA).
Baptist Health System agreed to pay $2.5 million to resolve allegations in the case brought by a former patient referral coordinator at the health care center’s neurology practice, a lawsuit that was partially joined by the federal government.
Although health care organizations are often the focus of FCA litigation, the law, which encourages whistleblowers to expose an organization’s fraudulent practices, affects all organizations.
“Everybody thinks that it’s a health care issue, but it’s not,” said Keith Lavigne, senior vice president, professional risk, ACE USA. “The law affects any company or entity interacting with the government. … It doesn’t discriminate by industry so everyone has to adhere to this act.”
In fiscal 2013, the U.S. Department of Justice (DOJ) recovered $3.8 billion in settlements and judgments from civil cases involving fraud under the FCA. The prior fiscal year, the amount was $4.9 billion. Since January 2009, total recoveries under the FCA totaled $17 billion.
“As in previous years, the largest recoveries [in fiscal 2013] related to health care fraud, which reached $2.6 billion,” according to the DOJ. “Procurement fraud [related primarily to defense contracts] accounted for another $890 million — a record on that area.”
Other significant fraud recoveries included a $45 million settlement with Japan-based Toyo Ink S.C. Holdings Co. Ltd. and its affiliates related to allegations it misrepresented the country of origin on customs documents, and a $10 million settlement with Education Holdings Inc. (formerly The Princeton Review Inc.) related to allegations the company fabricated attendance records on tutoring funded by a federal grant.
Lavigne said the number of actions filed due to the FCA’s whistleblower provisions has escalated from about 380 cases in 1987 to 846 cases in 2013. Individuals who file civil suits are eligible to receive up to 15 percent to 30 percent of the recovery.
“It’s an amazing incentivizing of the workforce,” he said, noting the fraudulent activities most often found are inflating bills for services and fabricating procedures.
Health care organizations have been disproportionately affected by the FCA because of several government initiatives to crack down on fraud and abuse in that sector, he said.
Those initiatives include the Health Care Fraud Prevention and Enforcement Action Team, started in 2009 by the U.S. Department of Health and Human Services and the DOJ; the Medicare Fraud Strike Force, launched in 2007; and $350 million set forth as part of the Patient Protection and Affordable Care Act to fight fraud and abuse.
The ACA’s expansion of third-party audits by Recovery Audit Contractors (RAC) increases the exposures — and compliance requirements — of health care organizations, Lavigne said.
It’s a burden, a cost and a distraction, he said. And it requires organizations to develop comprehensive self-audit programs.
A compliance program should include internal monitoring and auditing, implementing and enforcing compliance and practice standards, designating ownership of the process, conducting training, and responding to reported offenses, he said.
“If they are not looking at it, they are neglecting their enterprise risk management,” Lavigne said. “If an institution doesn’t have a robust compliance program set up, it’s a real risk.”
In the Florida case, a January 2012 lawsuit filed by the whistleblower alleged the neurology practice at Baptist Health System Inc. intentionally misdiagnosed patients in order to bill Medicare for expensive treatment and medications.
The health center was accused of actively trying to cover up the alleged fraud when it became aware of it, rather than inform government authorities.
Kirk Chapman, a partner at Milberg LLP, which represented Verchetta Wells, the whistleblower, said the case is an example of how the FCA “empowers Americans to help fight fraud on the government and American taxpayers, no matter how big or small the fraud may be.”
The case involved Milberg as well as the DOJ and Middle District of Florida U.S. Attorney’s office.
ICD-10 Implementation on Hold Until 2015
Workers’ comp payers that have invested in the impending new diagnostic codes are being forced to regroup. A law signed by President Obama delays implementation until October 2015, at least.
The International Classification of Diseases 10th edition was scheduled to take effect this October. But legislation that addresses the Medicare sustainable growth rate includes a provision that prohibits the Department of Health and Human Services from implementing the updated coding for another year.
“We’re all walking around here not really sure if this is going to happen. I’m confident it will, whether it is ICD-10 or 11. We have to change,” said Michele Hibbert-Iacobacci, vice president of information and support for Mitchell International.
Hibbert-Iacobacci spoke to Workers’ Compensation Report from Washington, D.C., where she was attending the American Health Information Management Association’s ICD-10/Procedure Coding System and Computer-assisted Coding Summit, which had been planned before the delay was announced. According to the association’s website, panelists at one of the early sessions referred to the code set’s delay as “ICD When.”
Even though workers’ comp is not a covered entity under HIPAA and therefore not required to transition to ICD-10, experts such as Hibbert-Iacobacci have strongly advised payers to do so. As she explained, it is in the best interests of workers’ comp stakeholders to comply.
“The fact of the matter is the doctors do [have to comply]. Providers are covered under HIPAA regardless whether they bill for comp or general health,” she said. “It would be the most ridiculous thing [for them] to speak two different languages.”
Many providers’ offices had already begun the expensive transition from ICD-9 to ICD-10. “The small practice, which is what we see a lot of in workers’ comp, is truly affected,” Hibbert-Iacobacci said. “Many of them switched.”
Some providers have been using dual systems in preparation for the change. Switching from one coding system to another costs an estimated billions of dollars, especially for training.
“Training was set for three months leading up to the [implementation] date,” Hibbert-Iacobacci said. “Some have started preliminary training. They will lose that information. They will have to do it over again or revisit it somehow.”
Hibbert-Iacobacci said annual updates to the ICD-9 codes were not done this year due to the anticipated implementation of ICD-10. Now those code sets will need to be updated.
With workers’ comp regulated at the state level, many jurisdictions have adopted legislative or administrative changes to allow for the transition from ICD-9 to ICD-10 codes. They are now in a wait-and-see mode.
Despite the costs and frustrations imposed by the delay, Hibbert-Iacobacci believes the change is inevitable and will be highly beneficial. For one thing, she says the new codes may help determine causation.
“There are encounter codes added to the injury codes, [including] the initial, subsequent, or sequela migration of injury,” Hibbert-Iacobacci said. “In workers’ comp we have to pay for things related to accidents … you should not see a ‘subsequent’ for an accident or it means there is a preexisting injury.”
5 & 5: Rewards and Risks of Cloud Computing
Cloud computing lowers costs, increases capacity and provides security that companies would be hard-pressed to deliver on their own. Utilizing the cloud allows companies to “rent” hardware and software as a service and store data on a series of servers with unlimited availability and space. But the risks loom large, such as unforgiving contracts, hidden fees and sophisticated criminal attacks.
ACE’s recently published whitepaper, “Cloud Computing: Is Your Company Weighing Both Benefits and Risks?”, focuses on educating risk managers about the risks and rewards of this ever-evolving technology. Key issues raised in the paper include:
5 benefits of cloud computing
1. Lower infrastructure costs
The days of investing in standalone servers are over. For far less investment, a company can store data in the cloud with much greater capacity. Cloud technology reduces or eliminates management costs associated with IT personnel, data storage and real estate. Cloud providers can also absorb the expenses of software upgrades, hardware upgrades and the replacement of obsolete network and security devices.
2. Capacity when you need it … not when you don’t
Cloud computing enables businesses to ramp up their capacity during peak times, then ramp back down during the year, rather than wastefully buying capacity they don’t need. Take the retail sector, for example. During the holiday season, online traffic increases substantially as consumers shop for gifts. Now, companies in the retail sector can pay for the capacity they need only when they need it.
3. Security and speed increase
Cloud providers invest big dollars in securing data with the latest technology — striving for cutting-edge speed and security. In fact, they provide redundancy data that’s replicated and encrypted so it can be delivered quickly and securely. Companies that utilize the cloud would find it difficult to get such results on their own.
4. Anything, anytime, anywhere
With cloud technology, companies can access data from anywhere, at any time. Take Dropbox for example. Its popularity has grown because people want to share large files that exceed the capacity of their email inboxes. Now it’s expanded the way we share data. As time goes on, other cloud companies will surely be looking to improve upon that technology.
5. Regulatory compliance comes more easily
The data security and technology that regulators require typically come standard from cloud providers. They routinely test their networks and systems. They provide data backups and power redundancy. Some even overtly assist customers with regulatory compliance such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS).
1. Cloud contracts are unforgiving
Typically, risk managers and legal departments create contracts that mitigate losses caused by service providers. But cloud providers decline such stringent contracts, saying they hinder their ability to keep prices down. Instead, cloud contracts don’t include traditional indemnification or limitations of liability, particularly pertaining to privacy and data security. If a cloud provider suffers a data breach of customer information or sustains a network outage, risk managers are less likely to have the same contractual protection they are accustomed to seeing from traditional service providers.
2. Control is lost
In the cloud, companies are often forced to give up control of data and network availability. This can make staying compliant with regulations a challenge. For example cloud providers use data warehouses located in multiple jurisdictions, often transferring data across servers globally. While a company would be compliant in one location, it could be non-compliant when that data is transferred to a different location — and worst of all, the company may have no idea that it even happened.
3. High-level security threats loom
Higher levels of security attract sophisticated hackers. While a data thief may not be interested in your company’s information by itself, a large collection of data is a prime target. Advanced Persistent Threat (APT) attacks by highly skilled criminals continue to increase — putting your data at increased risk.
4. Hidden costs can hurt
Nobody can dispute the up-front cost savings provided by the cloud. But moving from one cloud to another can be expensive. Plus, one cloud is often not enough because of congestion and outages. More cloud providers equals more cost. Also, regulatory compliance again becomes a challenge since you can never outsource the risk to a third party. That leaves the burden of conducting vendor due diligence in a company’s hands.
5. Data security is actually your responsibility
Yes, security in the cloud is often more sophisticated than what a company can provide on its own. However, many organizations fail to realize that it’s their responsibility to secure their data before sending it to the cloud. In fact, cloud providers often won’t ensure the security of the data in their clouds and, legally, most jurisdictions hold the data owner accountable for security.
Risk managers can’t just take cloud computing at face value. Yes, it’s a great alternative for cost, speed and security, but hidden fees and unexpected threats can make utilization much riskier than anticipated.
Managing the risks requires a deeper understanding of the technology, careful due diligence and constant vigilance — and ACE can help guide an organization through the process.
To learn more about how to manage cloud risks, read the ACE whitepaper: Cloud Computing: Is Your Company Weighing Both Benefits and Risks?