By: Anahita Anvari
Health Care Entrepreneurs need to know about the False Claims Act, Qui Tam Provisions and HIPAA. At a recent event, “Health Law 101: Key Legal Issues for Health Care Companies,” speakers identified the top five legal and regulatory issues for health care entrepreneurs to be aware of: The Anti-Kickback Statute, Stark Law, False Claims Act, Qui Tam Provisions, and HIPAA.
This post aims to provide a general overview of the latter three laws: False Claims Act, Qui Tam Provisions, and HIPAA. The Anti-Kickback Statute and Stark Law were addressed in Part 1 of this two-part post.
WHAT ARE THE FALSE CLAIMS ACT (FCA) AND QUI TAM PROVISIONS, AND WHAT DO THEY MEAN FOR ME?
The FCA protects the federal government from paying false or fraudulent claims. You should take steps to comply with the FCA if your business serves patients of government health care programs such as Medicare or Medicaid.
A claim, defined generally, is a request or demand for money or property from the government. Under the FCA, it is illegal to submit claims for payment to the government that you know or should know are false or fraudulent. The FCA also imposes liability when one acts to inappropriately avoid paying money to the government or conspires to violate the FCA. Therefore, you should not submit a claim for payment if, for example, the claim reflects a service that was not truly performed, the bill price is higher than the true price, or the claim incorrectly lists the provider who performed the services. There are no exceptions to this rule.
a. How Are FCA Violations Filed and What Are the Consequences?
Lawsuits for FCA violations may be filed by private citizens (also known as “Relators”) on behalf of the federal government. These lawsuits are permitted under the Qui Tam provisions of the FCA. Relators may receive statutory rewards for filing these lawsuits.
FCA liability may result in a civil monetary penalty for each false claim. Because each false claim is its own penalty, these fines can be detrimental. For example, the Office of Inspector General recently settled a case with a Connecticut provider for violating the FCA. The provider had billed Medicare for procedures that were already included in another billed item, essentially double-billing the government. The settlement was for $792,076.76.
B. How Can I Comply with the FCA?
You should take appropriate steps to comply with FCA by maintaining and implementing an effective compliance program. The seven essential elements to create an effective compliance program are detailed in Part 1 of this post.
Be aware that some states have their own false claims acts. These state laws may differ from the federal law. You should consult with an attorney regarding the laws in your state.
WHAT IS HIPAA AND WHAT DOES IT MEAN FOR ME?
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a federal regulation that governs the privacy and security of protected health information. Protected health information (PHI) is individually identifiable health information in any form (electronic, paper, or verbal) that relates to an individual’s physical or mental health condition, or to the provision and payment of health care to the individual. HIPAA protects PHI when it is transmitted by a covered entity or its business associate. Therefore, your business must comply with HIPAA if it qualifies as a covered entity or business associate. Click here to determine if your business qualifies as a covered entity or a business associate.
A. Are There Exceptions to HIPAA?
There are some limited exceptions to HIPAA. Covered entities may use or disclose PHI without authorization for treatment, payment, and healthcare operations, such as utilization review and credentialing. Other examples include judicial and administrative proceedings, research, or public health emergencies. You should consult with an attorney or compliance professional to be sure the use or disclosure falls within an exception.
B. I Am a Covered Entity or a Business Associate…Now What?
A covered entity or business associate must comply with HIPAA. You should be familiar with the major HIPAA rules and take measures to comply with them:
- The Privacy Rule establishes criteria for protecting PHI, gives patients certain rights to their health information, and permits use and disclosure of PHI under specific circumstances.
- The Security Rule requires covered entities and business associates to develop and implement safeguards to protect the confidentiality, integrity, and availability of electronic PHI.
- The Breach Notification Rule sets forth notification requirements should a breach of unsecured PHI occur.
- The Enforcement Rule outlines the procedures for investigating potential HIPAA violations and imposing liability.
C. What Are Examples and Consequences of HIPAA Violations?
Generally, HIPAA requires you to protect PHI from unauthorized access, use, or disclosure. Examples of violations include lost or stolen devices that contain PHI, posting PHI on social media, or an employee disclosing PHI to friends or coworkers.
HIPAA violations may result in civil monetary penalties (CMPs), criminal penalties, or mandatory exclusions from participating in Medicare. CMPs range from $100 per violation to $50,000 per violation, depending on the severity. Criminal penalties can result in jail time from one to ten years. For example, a hospital in Texas agreed to a $2.4 million settlement for violating HIPAA after it released the name of a patient to multiple media outlets in a press release.
D. How Do I Comply with HIPAA?
You should comply with HIPAA by implementing safeguards to protect PHI from unauthorized use and disclosure. Examples of safeguards include proper training of employees, use of encryption and decryption of electronic messages, conducting audits, keeping inventory of hardware and electronic devices, conducting periodic risk assessments, reviewing Business Associate Agreements, reporting any security incidents, and consulting with an attorney.
This post was authored February 4, 2019 and reproduced with the author’s consent from here.
Anahita Anvari, at the time of this post, is a second-year law student at Penn State’s Dickinson Law. She is from Southern California and is interested in health care law. Anahita founded the Health Law and Policy Society and is currently serving as an Associate Editor of the Dickinson Law Review.
Sources:
- For a complete list of sources, see original post here.
- https://www.justice.gov/sites/default/files/civil/legacy/2011/04/22/C-FRAUDS_FCA_Primer.pdf
- https://www.hhs.gov/hipaa/for-professionals/faq/covered-entities/index.html
- https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
- https://hipaaqsportal.hhs.gov/a/index
- https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf
- https://sites.psu.edu/entrepreneurshiplaw/2018/11/05/health-care-entrepreneurs-guide-to-important-laws/
- https://www.govinfo.gov/app/details/USCODE-2010-title31/USCODE-2010-title31-subtitleIII-chap37-subchapIII-sec3729
- https://www.law.cornell.edu/uscode/text/31/3730
- https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
- https://www.hipaajournal.com/hipaa-compliance-checklist/
Photo Sources:
- http://fcpablog.squarespace.com/blog/2014/11/6/the-false-claims-act-a-primer-for-whistleblowers.html
- http://www.vhha.com/programs/event/webinar-hipaa-and-new-technologies-using-texting-and-social-media-within-the-rules/
- https://blog.v-comply.com/compliance-healthcare-industry/
