Inappropriate billing, fraud gaining scrutiny

From its Annual Work Plan to increased cybersecurity scrutiny, HHS-OIG is focused on fraud and non-compliance.

Recently, as part of its Work Plan, the U.S. Department of Health and Human Services – Office of the Inspector General (HHS-OIG) issued a Bulletin (OEI-02-18-00380) highlighting a disturbing trend that warrants increased scrutiny – inappropriate billing. This should raise a flag for hospitals and other providers alike because it is a priority for HHS-OIG, which could lead to a costly False Claims Act case.

The following Bulletin items are notable for two reasons: (1) compliance initiatives; and (2) legal risk mitigation. Here are some of the key take-aways:

• Medicare Part A claims were analyzed for FY 2014—FY 2019;
• A trend emerged—hospitals increasingly billed for inpatient stays at the highest severity level, which is the most costly and results in the government expending the greatest amount of taxpayer dollars;
• Inpatient stays were vulnerable to false and fraudulent billing practices, such as upcoding; and
• Inadequate documentation and one diagnosis code was deemed suspect in rendering the highest level of care.

These items should serve as reminders for hospitals and providers alike to ensure medical necessity is met when utilizing a particular code, utilizing a particular modifier is appropriate under the circumstances, and conduct both internal and external billing and coding audits to ensure accuracy of claims submissions.

As protected health information becomes more vulnerable and more valuable, HHS-OIG has established a Cybersecurity Team to “combat threats by fostering enhancements in IT controls, risk management and resiliency.” It is hard to believe that this is a coincidence because the U.S. Department of Justice recently remarked that electronic health records, telehealth, and cybersecurity are three areas of fraud enforcement. “For example, cybersecurity related fraud may be another area where we could see enhanced False Claims Act activity. … To the extent that the government pays for systems or services that purport to comply with required cybersecurity standards but fail to do so, it is not difficult to imagine a situation where False Claims Act liability may arise.”

Providers and healthcare industry participants alike should remain vigilant about cybersecurity and being truthful in attestations to the government. Failing to do so may lead to a government investigation and/or a False Claims Act lawsuit.

_{About the Author}

_{Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.}