February 13, 2007

Some Medicaid providers have new federal education requirements to grapple with beginning January 1, 2007.  The Deficit Reduction Act of 2005 (“DRA”) requires that all health care providers that “make or receive” annual Medicaid payments of $5 million or more (“covered entities”) provide to their employees, contractors, and agents detailed information in written policies about the federal False Claims Act and any state laws that pertain to civil or criminal penalties for making false claims and statements to the Government or its agents.  The DRA is yet another example of the recent focus on Medicaid fraud and abuse at both the federal and state levels.

Initially, the DRA raised as many questions as it answered. For example, there has been some confusion about how the federal government will ultimately define the threshold trigger for which facilities make or receive $5 million or more in Medicaid payments.  In addition, state Medicaid agencies are also subject to the new requirements and exactly how states will implement the requirements remains unclear.  However, on December 13, 2006, the Centers for Medicare and Medicaid Services (“CMS”), the agency primarily responsible for implementing this part of the DRA, issued a letter to State Medicaid Directors attempting to clarify at least some issues. Also, CMS sponsored a conference call on Thursday, January 11, 2007 to answer questions and attempt to provide additional guidance regarding the DRA requirements.  The CMS letter and conference call clarified some of the uncertainty. CMS stated that an entity furnishing items or services at more than a single location or under more than one contractual or other payment arrangement is covered if its aggregate annual payments or receipts meet the $5,000,000 annual threshold, whether the entity uses one or more provider or tax identification numbers.  The federal fiscal year, which ends September 30, will be used for calculating annual payments or receipts.

The law appears to be self-implementing, meaning that providers cannot assume their obligations to comply are contingent upon further action by either CMS or their state Medicaid agency.  CMS has declined to give providers any assurance that there will be a grace period before compliance is required or enforcement action undertaken. States are also required to amend their state Medicaid plans and provider agreements to reflect the new law.  Whether or not States amend their Medicaid plans and provider agreements prior to January 1, 2007, or otherwise issue guidance, providers are expected to have in place by that date their written “education” to employees, contractors or agents. CMS has no current plans for enforcement instead relying on each state for enforcement according to its State Plan Amendment.

Here are the key “known” components required under the new DRA education requirements and some tips and resources for providers subject to the law by virtue of their annual Medicaid receipts and/or payments:

• The new law applies to any health care provider, including hospitals, nursing facilities and assisted living communities, who meets the threshold test of making or receiving $5 million or more annually in Medicaid payments. However, there are no other exceptions which would otherwise cause a provider to be a qualifying entity if that threshold is not met. For example, an entity that manufactures products furnished to healthcare providers or patients, but does not bill or receive payments from Medicaid, would not be a qualifying entity (but might be a contractor or agent).

• Compliance with the DRA’s education requirements is a condition of participation under the Medicaid program, meaning that the sanctions for a provider found noncompliant include loss of its Medicaid participation agreement and receipt of Medicaid reimbursement, as well as potential liability under the federal, and any applicable state, False Claims Act.

• Each state will decide whether it will use date of service or date of payment to determine if the $5 million threshold is met but the method chosen should be consistently applied from year to year to all entities within the state. However, only the final adjudicated amount (Medicaid payments made or received) and not the amount billed, will be counted toward the $5 million threshold.

• The provider’s “education” materials must be shared with contractors and agents, as well as employees, and initial indications from CMS are that these terms will include any individual or entity which, on behalf of the covered entity, furnishes or otherwise authorizes the furnishing of the delivery of Medicaid health care items or services, performs billing or coding functions, or is involved in the monitoring of health care provided by the entity. However, contractors or agents who provide non-medical items and services not related to the care of Medicaid patients such a copy machines, lawn care and food service, would not be covered. It is also important to remember that the test for whether a provider has to share its fraud education with agents and contractors is whether the provider makes or receives the requisite amount of Medicaid payments annually, not whether the agent or contractor handles $5 million or more annually of business linked to the Medicaid program for the provider. Medicare payments are irrelevant to this law.

• The provider’s written policies must include detailed information about civil and criminal penalties for fraud and abuse under both federal and state laws, which must include the role of these laws in preventing and detecting fraud and protections for “whistleblowers” who report such violations to authorities.  This must include a description of state-specific fraud and abuse laws and should include the state’s False Claims Act.  North Carolina has a False Claims Act but it does not currently include whistleblower provisions. The policies must also address the individual provider’s policies and procedures for detecting and preventing fraud, waste and abuse in health care programs. The policies may be in hard copy or electronic format, so long as they are readily available to employees, contractors or agents.

• These policies must be included in any employee handbook the employer currently utilizes with its employees.  If an employer has no employee handbook, he or she is not required to create one.  However, the provider’s policies must be provided in writing somewhere within documents routinely made available to employees.  CMS is leaving it to individual state program guidance and the entity’s best judgment to decide to what extent the documents provided to employees may summarize those policies and procedures.

• The policies must also be shared with contractors and agents.  This may be done in one of several ways, such as a standard letter that goes to all contractors and agents, with the provider’s policies attached. As a general rule, CMS did not believe the law requires an entity to amend its agreements with contractors to include such policies, but ultimately left it up to the entity to make that determination. CMS is considering the issue of whether the contractors and agents will be required to actually adopt the policies and procedures of their contracting entity. CMS appears to recognize the many practical difficulties such an interpretation would present.

• Providers that have an existing corporate compliance program may rely upon its existing policies so long as they address the requisite components, discussed above.  In particular, providers who developed their compliance programs from templates or national models should review those programs and attendant policies to ensure that a discussion of state laws governing health care fraud and abuse is included and that such laws are reflected in the facility’s policies and procedures.  Providers that choose to rely upon existing corporate compliance programs and policies may want to consider extracting a summary of the laws and policies relating specifically to fraud and abuse and providing those to employees, agents and contractors, and then retaining documentation of that effort, to demonstrate their compliance with the new DRA provisions. CMS will not provide such a model or summary of the laws and policies to the states or providers but has indicated the Department of Justice and/or Health and Human Services is considering doing so. The Ohio Medicaid Program has already posted such a summary at www.jfs.ohio.gov/OHP/index.stm.

• While the DRA clearly establishes the requirement for “education” about federal and state laws governing fraud, the law is not very clear on how providers should disseminate education materials and policies, other than directing that providers who have existing personnel manuals must include the new education provisions in those manuals.  The DRA does not require “training” on the new DRA policies.  This suggests that providers may meet the DRA education requirements by developing new policies, or modifying existing ones, and providing the policies to employees, agents and contractors in writing.  However, including these policies in regular compliance training, and documenting that specifically, will allow a provider to demonstrate clearly its compliance with the DRA provisions.

CMS will almost certainly issue further implementation guidance sometime in 2007 to its regional offices and to State Medicaid agencies, and many states will probably likewise offer guidance to individual providers who receive Medicaid funds. CMS also plans to provide additional guidance on its website by posting State Plans and State Plan Amendments as they are approved and by addressing some of the questions left unanswered during the January conference call. Providers should watch for additional guidance on these new requirements.

Some of the many questions that will need to be answered include: (1) whether physicians who are not employees, but have staff privileges and attend patients at a hospital or long term care facility are considered contractors or agents; (2) how the new law will be applied to health care providers who qualify both as a covered entity and as a contractor or agent; (3) whether the scope of the new law reaches sub-contractors; (4) the applicability of the DRA requirements when several qualifying entities enter into group purchasing arrangements; and (5) the impact of the new law on a university system operating a teaching hospital or on a county government  operating a covered health care facility.

For questions about this Health Care Alert or assistance with issues concerning compliance with government healthcare programs or other matters involving healthcare law, please contact Ken Burgess at kburgess@poynerspruill.com or 919.783.2917 or Chris Brewer at cbrewer@poynerspruill.com or 919.783.2891.