compliance fraud, waste and abuse training for first tier

2013‐ Compliance & Fraud, Waste and Abuse Training for First Tier, Downstream and Related Entities

Preferred Care PartnersConfidential and Proprietary

1

Have You Been Trained?Detecting and preventing fraud, waste and abuse (FWA) is the responsibility ofeveryone, including employees, members, physicians, vendors, subcontractors,hospitals, brokers, agents and other persons who may be subject to federal or state lawsrelating to FWA. The Centers for Medicare and Medicaid Services (CMS) requires that allfirst‐tier downstream and related entities (FDR) to the health plan/sponsor (thisincludes, but is not limited to employees, physicians, vendors, hospitals, brokers, andagents) who work or contract with Medicare Advantage Programs (MA) and/orMedicare Prescription Drug Programs (PDP) meet annual compliance and educationtraining requirements with respect to Fraud, Waste and Abuse.

Statutes, regulations, and policy govern Medicare Parts A, B, C and D programs. Theselaws state that FDRs must have an effective compliance program and training for theiremployees, managers, and directors. The FDRs compliance plan must address measuresto prevent, detect, and correct Part C or D program non‐compliance, as well as fraud,waste and abuse, which will consist of training, education, and effective lines ofcommunication between the compliance officer and the organization’s employees,managers, and directors in regards to Fraud, Waste and Abuse.


2

Preferred Care Partners’ Commitment

Preferred Care Partners and subsidiaries, must ensure that all delegatedentities and FDR’s that deal directly with our Medicare members and/or viewProtected Health Information (PHI), in any capacity, implement fraud, wasteand abuse training for all personnel. To meet this obligation, we haveestablished training requirements and have communicated this to our first‐tier downstream and related entities for which we have a contractualrelationship.


3

This Training Will Cover:

o Definitions of first‐tier downstream and related entitieso Compliance Program o Definitions of Fraud, Waste and Abuseo Types of Fraud, Waste and Abuse o Healthcare Fraud Laws and Regulationso HIPAA Privacy and Security Laws and Regulationso Your Responsibilitieso Attestation for Completion of the Compliance & Fraud, Waste and Abuse

Training


4

First‐Tier Entity‐ any party that enters into a written arrangement, acceptable to CMS, with a MAO or Part D plan sponsor or applicant to provide administrative services or health care services to a Medicare eligible individual under the MA or Part D program. (See, 42 C.F.R. § 423.501). Examples: PBM, a Claims Processing Company, contracted Sales Agent

Downstream Entity‐ any party that enters into a written arrangement, acceptable to CMS, with persons or entities involved with the MA benefit or Part D benefit, below the level of the arrangement between a MAO or applicant or a Part D plan sponsor or applicant and a first tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. (See, 42 C.F.R. §, 423.501). Example: Pharmacy

Related Entity‐ any entity that is related to a MAO or Part D sponsor by common ownership or control and performs some of the MAO or Part D plan sponsor’s management functions under contract or delegation. Furnishes services to Medicare enrollees under an oral or written agreement, or leases real property or sells materials to the MAO or Part D plan sponsor at a cost of more than $2,500 during a contract period. (See, 42 C.F.R. §423.501). Example: Entity that has a common ownership or control of a Part C/D Sponsor

Definitions of First‐Tier Downstream and Related Entities


5

Compliance Program


6

Why a Compliance Program?


o Federal and state law requires that providers ensure that they are operating their businesses in compliance with governing laws.

7

Compliance ProgramPreferred Care Partners and their first‐tier downstream and related entities are required to have a Compliance Program to guard against potential fraud, waste and abuse. The plan must include:

(1) Written policies, procedures, and standards of conduct articulating the organization's commitment to comply with all applicable Federal and State standards(2) The designation of a compliance officer and compliance committee (3) Effective training and education between the compliance officer and the MA/Part D plan sponsor's employees, managers and directors, and the MA/Part D plan sponsor's first‐tier downstream and related entities(4) Effective lines of communication between the compliance officer, members of the compliance committee, the MA/Part D plan sponsor's employees, managers and directors, and the MA/Part D plan sponsor's first‐tier downstream and related entities(5) Enforcement of standards through well‐publicized disciplinary guidelines(6) Procedures for internal monitoring and auditing(7) Procedures for ensuring prompt responses to detected offenses and development of corrective action initiatives relating to the organization's contract as a MA/Part D plan sponsor


8

Compliance Program cont.


By the terms of your contract with Preferred Care Partners you must have andmaintain an effective compliance program. FDR’s must educate and trainemployees, on fraud, waste and abuse within 30 days of hire and annuallythereafter.Downstream and related entities will maintain effective lines of communicationwith Preferred Care Partners’ compliance officer about potential fraud, waste andabuse through our open door policy, including phone, email, and online fraudreferral.You must maintain records to effectively track completion of education and trainingregarding fraud, waste and abuse either through your organization’s own training orthrough the material provided here. Downstream and related entities must provideor make available fraud, waste and abuse training to their partners (first‐tierdownstream and related entities) to ensure that Medicare business partners areaware of their obligation. Downstream and related entities and their employeesmust be aware and knowledgeable about laws applicable to fraud, waste and abuse.

9

Definitions of Fraud, Waste and Abuse


10

Fraud is knowingly and willfully executing, or attempting to execute, a scheme or artifice to defraud any health care benefit program or to obtain (by means of false or fraudulent pretenses, representations, or promises) any of the money or property owned by, or under the custody or control of, any health care benefit program.

Waste is the overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare program. Waste is generally not considered to be caused by criminally negligent actions but rather the misuse of resources.

Abuse includes actions that may, directly or indirectly, result in unnecessary costs to the Medicare/Medicaid Program such as improper payment, payment for services that fail to meet professionally recognized standards of care, or services that are medically unnecessary. Abuse, also involves payment for items or services when there is no legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment. Abuse cannot be differentiated categorically from fraud, because the distinction between “fraud” and “abuse” depends on specific facts and circumstances, intent and prior knowledge, and available evidence, among other factors.


11

Who Commits Fraud, Waste and Abuse?

Many individuals and organizations can potentially commit fraud including:

o Beneficiarieso Physicians, nurses and other healthcare providerso Pharmacieso Laboratorieso Pharmaceutical manufacturerso Durable Medical Equipment (DME) Providerso Hospitalso Pharmacy Benefit Managers (PBMs)o Health plans Employees o Home Health Agencies


12

Types of Fraud, Waste and Abuse


13

Beneficiary Fraud

Examples of fraud committed by beneficiaries may include:

o Identify thefto Resale of drugs on the black marketo Falsely reporting loss or theft of drugs to receive replacementso Doctor shoppingo False and inaccurate information to Medicare/Medicaido Pharmacy abuse/Doctor shopping/Narcotic drug seeking


14

Provider Fraud

Fraud can be found in some day‐to‐day operations within any medical practice. Some forms of fraud may include:

o Billing for items or services not rendered or not provided o Submitting claims for equipment or supplies and services that are not

reasonable and necessaryo Double billing resulting in duplicate paymentso Unbundlingo Failure to properly code using coding modifiers or up‐coding the level of

service provided, inappropriate use of place of service codeso Altering medical recordso Kickbacks


15

Pharmacy Benefit Manager (PBM) Fraud

Fraud committed by a PBM may include:

o Unlawful remuneration in order to steer a beneficiary toward a certain plan or drug, or for formulary placement.

o Not offering a beneficiary the negotiated price of a drug.


16

Pharmacy Fraud

o Overstating cost or billing for a commercially available product when compounding the product (e.g., inhalation drugs)

o Dispensing samples or expired drugs

o Using a single dose vial for multiple prescriptions and billings

o Returns to stock not credited

o Authorized refills billed but not dispensed

o Ignoring payer of last resort policy

o Forgery: bogus prescriptions, bogus invoices

o No prescription ‐ phantom billings

o Altering prescriptions (+ Drugs, Quantity, Refills)

o Shorting quantity dispensed with full billings

o IOU ‐ partial fills for full billings

o Over billed quantities

o Billing one drug and dispensing another


17


Healthcare Fraud Laws and Regulations

18

The False Claims Act(31 United States Code § 3729‐3733)

The False Claims Act (FCA) prohibits knowingly filing a false orfraudulent claim for payment to the government, knowingly using afalse record or statement to obtain payment on a false or fraudulentclaim paid by the government, or conspiring to defraud thegovernment by getting a false or fraudulent claim allowed or paid.See 31 U.S.C. 3729(a) of the Act for additional details, exclusions,and statutory exceptions.


19

Civil and Criminal False Claims Act (42 U.S.C. §1320a‐ 7b(a))

(31 United States Code § 3729‐3733)

It is a crime for any person or organization to:o Knowingly present, or cause to be presented, a false or fraudulent claim for payment

or approval by the federal government;o Knowingly make, use, or cause to be made or used a false record or statement to

influence the payment of a false or fraudulent claim.

NOTE:Unlike the Anti‐Kickback Statute, no proof of specific intent to defraud is required by the False Claims Act. The person submitting a claim does not need to have actual knowledge that the claim is false. Anyone who acts in reckless disregard or in deliberate ignorance of the truth or falsity of the information can also be found liable under the False Claims Act.


20

Penalties for Violating Medicare Civil Monetary Penalties (CMPs)

(42 U.S.C. §1320a‐7a) Under the False Claims Act, the damages may be tripled. Civil Money Penalty between $5,500 and $11,000 for each claim. Examples are:

o Presenting a claim that the person knows or should know is for an item or service that was not provided or is false or fraudulent or for which payment may not be made.

o Making false statements or misrepresentations on application or contracts to participate in Federal Health Care programs.

o Violation of the Medicare assignment provisions. o Violation of a Medicare physician or supplier agreement. o Refusal of any supplier to provide rental Durable Medical Equipment (DME) supplies

without charge after rental payments may no longer be made.o Unbundling of patient claims. o “Dumping of patients” based upon their inability to pay or lack of resources.o False or misleading information expected to influence a discharge decision.o Violations of the Anti‐Kickback statute and/or Stark Law.


21

Whistle Blower Protections

Qui Tam Actions: The FCA contains whistleblower or qui tam provisionsthat allow individuals who become aware of fraud against thegovernment to sue on behalf of the government. A person who brings aqui tam action that a court later finds was frivolous may be liable forfines, attorney fees and other expenses.

Non Retaliation Policy: Preferred Care Partners does not retaliate against any employee or entity that reports suspected fraudulent insurance activities.

Preferred Care Partners ensures that identities are protected for individuals reporting in good faith alleged acts of fraud and abuse.


22

Fraud Enforcement & Recovery Act of 2009 (“FERA”)

o Amends the False Claims Act.

o Makes it illegal to “knowingly conceal or knowingly and improperly avoid” an obligation to repay federal funds that have been paid in error, even if the erroneous payment was not caused by the submission of a false record or statement.

o Increased protection for qui tam plaintiffs/relators beyond employees, to include contractors and agents.

Expands the definition of “claim” to include:

o Demand for payments made by subcontractors to companies receiving federal funds.

o Any request for money made to any “recipient” of funds provided, in whole or in part, by the government, “to advance a Government program or interest.”


23

Anti‐Kickback Statute42 U.S.C. §1320a‐7b(b)

The Anti‐Kickback Statute prohibits the following actions:

Soliciting, receiving, offering or paying remuneration for referrals of Medicare or Medicaid patients, or referrals for services or items which are paid for, in whole or in part, by Medicare or Medicaid.

Soliciting, receiving, offering or paying remuneration in return for purchasing, leasing, ordering, or arranging for, or recommending purchasing, leasing, or ordering any goods, facility, service, or item for which payment may be made in whole or in part, by Medicare or Medicaid.

Discounts, rebates, or other reductions in price may violate the anti‐kickback statute because such arrangements induce the purchase of items or services payable by Medicare or Medicaid.

The statute ascribes criminal liability to parties on both sides of an impermissible “kickback” transaction.However, certain arrangements are clearly permissible if they fall within a “safe harbor.” A violation of the anti‐kickback law is a felony offense that carries criminal fines of up to $25,000per violation, imprisonment for up to five years and exclusion from government health careprograms.


24

What is Remuneration?

The transfer of anything of value, directly or indirectly, overtly or covertly in cash.

When this happens, both parties are held in criminal liability of the impermissible “kickback” transaction.


25

Physician Self‐Referral LawStark Statute

42 USC §1395nn

o Prohibits physicians from referring Medicare patients for certain designated health services to an entity with which the physician or a member of the physician’s immediate family has a financial relationship – unless an exception applies.

o Prohibits an entity from presenting or causing to be presented a bill or claim to anyone for a designated health service furnished as a result of a prohibited referral.

Stark Damages and Penalties ‐ Up to a $15,000 fine for each service provided. Up to a $100,000 fine for entering into an arrangement or scheme.


26

Office of Inspector General ExclusionsThe Department of Health and Human Services Office of Inspector General (OIG) is legally required toexclude from participation in all Federal Health Care programs individuals and entities convicted of thefollowing types of criminal offenses:

o Medicare or Medicaid fraud

o Patient abuse or neglect

o Felony convictions for other health related fraud, theft, or other financial misconduct

o Felony convictions for unlawful manufacture, distribution, prescription or dispensing of controlled substances

The OIG has discretion to exclude on several other grounds, including misdemeanor convictions related to the list above. In the absence of a conviction, the OIG may permissively exclude providers if certain conditions and requirements have been met. Even when the U.S. Attorney’s Office declines to prosecute a case, the OIG may take action to exclude the provider from the Medicare program. Exclusion means that for a designated period, Medicare, Medicaid, and other government programs will not pay the provider for services performed, or for services ordered by the excluded party or CMS terminates contract with its providers, suppliers or managed care organizations, etc.The online database may be accessed at: http://oig.hhs.gov/fraud/exclusions.asp


27

List of Excluded Individuals and Entities (LEIE)

o Excluded Parties List System (EPLS) is used to identify excluded parties duringthe process of engaging services of new employees, providers andsubcontractors during renewal of agreements and re‐credentialing.

o The online database may be accessed at: https://www.epls.gov/

o Provider/subcontractor should not engage the services of an entity that is innonpayment status or is excluded from participation in federal or state healthcare programs.


28

CMS Intermediate Sanctions

It is important to understand these regulations since violations can result in civil and federal penalties. CMS can impose intermediate sanctions for:

o Engaging in discriminatory practices o Providing false information to CMS o Imposing excessive premiums on members o Inappropriately disenrolling or refusing to re‐enroll an individual o Failing to provide a beneficiary with medically necessary items or services that are required under law or contract

o Employing or contracting with any health care provider that is excluded from participation in the Medicare program


29

.


HIPAA Privacy & Security

30

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the rightto privacy for an individual patient’s medical records and establishes national standards forelectronic health care transactions and national identifiers for providers, health plans, andemployers. The standards improve the efficiency and effectiveness of the nation's healthcare system and assists in the electronic privacy and security data interchange.

Privacy Rule: Defines protected health information and provides individuals more controlover how their health information is used and disclosed.

Security Rule: Establishes controls for safeguarding the integrity, availability andconfidentiality of private information. The Office for Civil Rights is responsible forimplementation and enforcement of the privacy and security regulations.

As an entity who has access to protected health care information, you are responsible foradhering to HIPAA.

31


Protected Health Information (PHI) ‐ individually identifiable healthinformation related to past, present, or future conditions, treatments, and/orpayment history/claims

Individually Identifiable Information ‐ member’s name, address, DOB, SS#,group and policy numbers, diagnosis codes, prognosis, symptoms and claimshistory

Designated Record Sets (DRS) ‐ pertains to medical and billing records,enrollment information, claims, payments, case management records, and anyother record used to make decisions

32

o Names, Addresses o All elements of dates directly related to an individual, including birth

date, admission date, discharge date, date of death o Telephone or Fax number o E‐Mail Address o Medical Record Number o Health Plan Beneficiary Number o Account Numbers o Biometric Identifiers (finger and voice prints) o Full‐Face Photos and Comparable Images o Any other unique identifying number, characteristic or code

What Is Considered PHI?


33

Security Of Data

Safeguarding Protected Health Information (PHI) ‐ A covered entitymust have administrative, technical and physical safeguards in place toprotect the privacy of Protected Health Information from the intentionalor unintentional use or disclosure.


34

HIPAA’s 2009 HITECH ACTHealth Information Technology for Economic and Clinical Health

HITECH Act introduced several new security provisions including:

o Time frame requirement to notify members and Health and Human Services (HHS) of Protected Health Information (PHI) security breaches;

o New stricter HIPAA regulations regarding business associates and enforcement of penalties;

o Restrictions on the sale and marketing of PHI.

When a breach occurs, a covered entity must notify each individual whose unsecured PHIhas been, or is reasonably believed by the covered entity to have been breached,accessed, acquired, used or disclosed as a result of such breach. A covered entity mustnotify HHS and the media in the event of a breach of unsecured PHI involving 500 ormore individuals. A business associate must notify the covered entity of any breach ofunsecured PHI.

All downstream related entities and business associates must notify Preferred Care Partners immediately in the event of a breach of PHI, so that Preferred Care Partners & BA can coordinate breach notification to HHS. http://ocrnotifications.hhs.gov/


35

Violation of PHI & PHI Breach DisclosuresHIPAA established health care fraud as a federal criminal offense and increased the penalties, such as:

‐ For knowingly obtaining or disclosing identifiable health information relating to an individual in

violation of the Rule:

o Up to $50,000 & 1 year imprisonment

o Up to $100,000 & 5 years if done under false pretenses

o Up to $250,000 & 10 years if intent to sell, transfer, or use for commercial advantage,

personal gain or malicious harm

‐ Forfeiture of property derived, directly or indirectly, from gross proceeds traceable to thecommission of the offense

‐ Imprisonment for up to 10 years/up to 20 years if the violation results in “bodily injury”/life ifpatient dies


36

Notification & Incentive Program


Preferred Care Partners, Inc. must notify the Secretary of Health and HumanServices of all unauthorized disclosures of PHI and follow the required processof notification to the individual, client, business associate and when indicated,the media.

HIPAA s.203 (b)(1) created the Medicare Incentive Reward Program (IRP) toencourage reporting of sanctionable activities. IRP will pay a reward forinformation that leads to a minimum recovery of $100 from a party determinedby CMS to have committed sanctionable offenses.

HIPAA created funding for states to fight fraud and abuse. The State of Floridauses the funds for the South Florida Health Care Fraud Center.

37

HIPAA Audits


The U.S. Department of Health and Human Services (HHS) Office for CivilRights (OCR) is responsible for privacy and security enforcement under theHealth Insurance Portability and Accountability Act (HIPAA) and the HealthInformation Technology for Economic and Clinical Health (HITECH) Actprovisions.

To avoid the consequences of potential penalties for non‐compliance,covered entities and business associates must now pay immediate attentionto conducting a new or reviewing an existing risk assessment of threat andvulnerability to protected health information (PHI), mitigating identifiedrisks through privacy and security safeguard policies and procedures,training their workforce members to safeguard privacy and security of PHI,and documenting those actions in writing.

38

Record Retention

Documentation such as medical, professional, financial and businessrecords must be maintained for at least 10 years from the date of service.


39

Your Responsibilities


40

Duty to Report

Everyone within your organization, including owners, directors, vendors and subcontractors have a duty to comply with all laws and regulations and to report violations.

o You do not have to be certain that a violation has occurred in order to report suspected wrongdoing.

o Retaliating against or intimidating anyone who reports a suspected violation is prohibited by Company policy.


41

Reporting Fraud, Waste and Abuse

If you suspect any potential case of fraud, waste or abuse related to Medicare, you may report it to Preferred Care Partners’ Special Investigations Unit at:

Fraud, Waste and Abuse Hotline: 1‐ 866‐ 678‐ 8822 Fax: 1‐888‐659‐0617Web address: http://www.mypreferredcare.com/en/contact‐us/report‐fraud‐waste‐or‐abuse.aspx Email: [email protected] Online: www.mypreferredcare.com, www.mycareflorida.comMail to: 9100 S. Dadeland Blvd., Suite 1250, Miami, Florida 33156

All reports are confidential and may be anonymous. It is illegal to retaliate against or intimidate an employee who reports suspected fraud, waste, or abuse.


42

Reporting to MEDICARESuspected cases of Medicare fraud may also be reported directly to the Health and Human Services Office of the Inspector General in writing or by phone:

Mail:US Department of Health and Human ServicesOffice of Inspector GeneralATTN: OIG HOTLINE OPERATIONSPO Box 23489Washington, DC 20026 Phone:1‐800‐HHS‐TIPS (1‐800‐447‐8477) Fax:1‐800‐223‐8164 TTY:1‐800‐377‐4950


43

RESOURCES

• CMS’ Prescription Drug Benefit Manual – Chapter 9 • CMS’ Medicare Managed Care Manual – Chapter 21 http://www.cms.gov/Medicare/Prescription‐

Drug‐Coverage/PrescriptionDrugCovContra/Downloads/Chapter9.pdf• CMS’ Prescription Drug Benefit Manual http://www.cms.gov/Medicare/Prescription‐Drug‐

Coverage/PrescriptionDrugCovContra/PartDManuals.html• CMS’ Medicare Managed Care Manual http://www.cms.gov/Regulations‐and‐

Guidance/Guidance/Manuals/Internet‐Only‐Manuals‐IOMs‐Items/CMS019326.html• Code of Federal Regulations (see 42 CFR 422.503 and 42 CFR 423.504)

http://www.gpo.gov/fdsys/browse/collectionCfr.action?collectionCode=CFR • Office of the Inspector General – Fraud Information http://oig.hhs.gov/fraud/ • Medicare Learning Network (MLN) Fraud & Abuse Job Aid http://www.cms.gov/Outreach‐and‐

Education/Medicare‐Learning‐Network‐MLN/MLNProducts/downloads/Fraud_and_Abuse.pdf• Physician Self Referral Law‐ http://cms.hhs.gov/PhysicianSelfReferral• HIPAA http://www.hhs.gov/ocr/privacy hhs.gov


44

Training Documentation

You are accountable and responsible for ensuring Compliance

Companies like yours that do business with Medicare Advantage organizations and Part DSponsors must ensure that their employees, owners, directors, vendors and contractors areknowledgeable about all laws and regulations that apply to their business in order to ensure thatno documentation or certification prepared by those employees and provided to the governmentis considered to be knowingly false.

Please note that you must be able to submit records of training logs documenting employeeparticipation in the training upon request.

Thank you for completing Preferred Care Partners’ Fraud, Waste and Abuse Training


45

As a first‐tier downstream or related entity, ____________________________ (“My Organization”) attests that it (Legal Entity Name)

has administered appropriate education and training to identify, correct, and prevent potential fraud, waste, and abuse. Upon request, my organization will provide Preferred Care Partners with training logs to validate that the training was completed.

Return this form to Preferred Care Partners by fax to: Attn: Compliance Department 305‐671‐4085. Or by mail Attn: Compliance Department 9100 South Dadeland Blvd. Suite 1250. Miami, FL 33156.

__________________________________ ______________________________________Print Name Signature

__________________________________ ______________________________________Organization Date Signed


Attestation for Completion of theCompliance & Fraud, Waste and Abuse Training

46

compliance fraud, waste and abuse training for first tier

Documents