Although betting on the end of the COVID-19 public health emergency (PHE) is starting to feel as safe as investing in cryptocurrency, it probably will expire in April or July and the waivers and flexibilities along with it. For hospitals and other providers, that means reverting to pre-PHE rules, which attorneys and compliance professionals see as high on the list of challenges in the coming year—along with related audits and enforcement actions. “By the spring of 2023, we will be looking at three years. That’s a long time,” said Patrick Kennedy, executive director of hospital compliance at UNC Health in North Carolina. “The more time that has passed, the further away we have gotten from the way we used to operate.” Case in point: one of its hospitals relies on a waiver to treat inpatients on a unit that had previously been reserved for 25 observation beds. “It will have to go back to being an observation unit exclusively,” Kennedy said, but the use of that unit for inpatients has “become ingrained” and “I think those changes may be hard conversations to have with operations and providers.”
The end of the PHE may be the blunt force trauma of 2023, but there are many other events in the mix. Some of them stem from regulatory and legislative changes announced in December. They include proposed changes to the Medicare 60-day overpayment rule and Medicare Advantage, the extension of Medicare coverage for telehealth and Acute Hospital Care at Home and the introduction of coverage of Software as a Service. In the enforcement arena, private equity is on everyone’s lips along with Medicare Advantage and the Anti-Kickback Statute, and there are new Department of Justice (DOJ) crossover operations—partnering with the HHS Office of Inspector General (OIG) on antitrust enforcement and deploying the civil rights division to pursue inaccessible health technology, including telehealth, with HHS.[1] “There is a hook potentially under the False Claims Act,” said attorney Colette Matzzie, with Phillips & Cohen.
It’s an interesting time to be a compliance officer, with more freedom personally to hire anywhere across the country because of remote technology and more leverage inside their organizations in light of DOJ’s new compliance officer certifications, said Donnetta Horseman, chief compliance officer at Moffitt Cancer Center in Tampa, Florida. “Skilled and tenured compliance professionals” may have expanded opportunities because they can work remotely, she noted. “It’s opening doors for compliance professionals and giving them more options to consider when contemplating a job change.” At the same time, when resolving certain corporate criminal cases, DOJ has started requiring CEOs and chief compliance officers to sign certifications that their organization’s compliance program is “reasonably designed and implemented to detect and prevent violations of the law” and functioning effectively. Compliance officers and CEOs face the threat of prosecution for making false statements if they drop the ball.
Certification Raises Stakes for Evaluations
This can be positive for compliance officers. “If presented the right way, the information gives compliance officers additional leverage,” Horseman said. Moffitt had a conversation about the DOJ certification with the board compliance committee, which led to the endorsement by board members of an external compliance effectiveness review after several years without one. The certification “is a good avenue for a compliance officer to reinforce the need for periodic evaluation of the program,” especially if the organization is in the middle of a self-disclosure or possibly facing an enforcement action, she noted.
The certification is also why compliance officers should “go to the appropriate corporate official and ask whether the directors and officer’s liability policy covers them, and if so, to what extent,” said former prosecutor Robert Trusiak, an attorney in Buffalo, New York. He noted that compliance officers in New York state also will be held to higher standards this year now that its Medicaid compliance program requirements have been updated. The Office of Medicaid Inspector General finalized regulations that, among other things, require auditors to have Medicaid audit expertise.
Surprise Package: A Change to 60-Day Rule
This year or next, regulatory changes will take effect with some potentially far-reaching consequences—if they’re finalized. Medicare Advantage (MA) plans would have to make changes to policies if a regulation published in the Dec. 27 Federal Register is finalized, but whether things get better for providers on the ground remains to be seen.[2] The CMS rule puts teeth into the requirement that MA plans follow traditional Medicare’s two-midnight rule, inpatient-only list and case-by-case exception, experts say. The rule proposes to codify regulatory language that would explicitly require MA plans to live by coverage criteria for inpatient admissions under Part A (42 C.F.R. § 412.3). According to the rule, “MA organizations may not limit coverage through the adoption of policies and procedures—whether those policies and procedures are called utilization management and prior authorization or the standards and criteria that the MA organization uses to assess and evaluate medical necessity—when those policies and procedures result in denials of coverage or payment where the Traditional Medicare program would cover and pay for the item or service furnished to the beneficiary.” In another MA proposed rule published in the Federal Register on Dec. 13, CMS would require MA plans to respond much faster to prior authorization requests.
“I’m really interested to see how the MA plans will react in 2023 to this new proposed rule,” said Ronald Hirsch, M.D., vice president of R1 RCM. “Since theoretically it’s already in place, they should start honoring the inpatient-only list and two-midnight rule.” If that’s the case now, he wonders why CMS hasn’t been enforcing it. The other possibility is MA plans will frantically deny claims because they know they’ll lose money in 2024 when they’re unquestionably bound by the two-midnight rule, Hirsch said. Whether it’s enforced this year or next, at least hospitals get paid. More significantly, CMS is unambiguous in the proposed rule that MA plans must fix their approval process for skilled nursing facilities and inpatient rehabilitation facilities. “They are denying patients access to covered care,” Hirsch noted.
In the same regulation, CMS surprised people when it proposed to refashion Medicare’s 60-day overpayment rule. The 60-day rule—which came to life in the Affordable Care Act (ACA)—requires providers to report and return Part A and B overpayments within 60 days of identifying them. According to the 2016 regulation interpreting the 60-day rule, providers are obligated to use reasonable diligence to identify overpayments by doing proactive compliance activities to monitor for overpayments and investigating potential overpayments in a timely manner. CMS defined timely as within six months of receiving “credible information” about an overpayment.
CMS envisions replacing “reasonable diligence” with language more consistent with the False Claims Act’s knowledge standard, said attorney Andrew Ruskin, with K&L Gates. “Under the proposed rule, a provider or supplier has identified an overpayment if it has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the overpayment,” according to CMS. The new definition shouldn’t get anyone bent out of shape, Ruskin said. “They are taking away the obligation to do reasonable due diligence, but performing due diligence is a way to show you’re not acting in reckless disregard of the truth,” Ruskin explained. “It’s probably close to the same thing.” It looks like CMS is floating this change because there’s nothing in the ACA about reasonable diligence. “The agency doesn’t want to put itself out there as having exceeded its statutory authority,” he said.