All companies rely on third parties, independent contractors, suppliers and other key partners in order to effectively perform their services. Collectively referred to as vendors, these business relationships for healthcare organizations often include key suppliers such as durable medical equipment, contract employees, software and technology, janitorial services, and a plethora of other service providers.
But how well do you know your vendors?
In this post, we’ll explain the importance of knowing what’s lurking in your vendor network, while exploring several cases of vulnerabilities that left healthcare organizations with vendor-driven enforcement fines and penalties.
What the HHS-OIG says about vendor compliance
As referenced in our recent post on definitions and regulations for healthcare vendors, the HHS Office of Inspector General Exclusions Program mandates that healthcare organizations refrain from doing business with “excluded or sanctioned” individuals or entities, which includes your organization’s network of vendors. In addition to exclusion monitoring of individuals within your workforce and provider networks, you are responsible for ensuring your vendors are clear of any state or federal exclusion lists, such as the OIG’s List of Excluded Individuals and Entities (LEIE).
According to the OIG Special Advisory Bulletin 2013:
If a health care provider arranges or contracts (by employment or otherwise) with a person that the provider knows or should know is excluded by OIG, the provider may be subject to [Civil Monetary Penalties] liability if the excluded person provides services payable, directly or indirectly, by a Federal health care program.
For example, an excluded individual may not serve in an executive or leadership role (e.g., chief executive officer, chief financial officer, general counsel, director of health information management, director of human resources, physician practice office manager, etc.) at a provider that furnishes items or services payable by Federal health care programs. Also, an excluded individual may not provide other types of administrative and management services, such as health information technology services and support, strategic planning, billing and accounting, staff training, and human resources, unless wholly unrelated to Federal health care programs.
Although an exclusion does not directly prohibit the excluded person from owning a provider that participates in Federal health care programs, there are several risks to such ownership. OIG may exclude the provider if certain circumstances regarding the ownership are present.
Check out pages 15-16 of the OIG Bulletin to learn more on the specifics of ownership and excluded individuals. Additionally, check out this HHS-OIG 2016 report, Medicare: Vulnerabilities Related to Provider Enrollment and Ownership Disclosure, which revealed “vulnerabilities that could allow potentially fraudulent providers to enroll in the Medicare program.”
Recent cases of OIG enforcement and other fines, penalties related to vendors
1. Case Study: Joseph C. Moon
In this enforcement example, an owner was excluded, but hid behind the corporate veil of a company, which eventually led to both individual and company fines and exclusions.
In January 2015, the OIG settled for $96,259 with a Minnesota Pharmacist, Joseph C. Moon, for submitting claims while excluded from March 2006 through July 2013. Moon owned and managed a pharmacy that participated in federal healthcare programs while he was excluded from participating in those programs. Moon thought he could avoid penalty by simply billing under the pharmacy that he owned, which is specifically prohibited.
2. Case Study: OFAC Enforcement
In a recent post, we shared that the Office of Foreign Assets Control (OFAC) updates and maintains lists of foreign individuals and entities designated as threats to federally funded programs and prohibits U.S. based companies and individuals from conducting business, directly or indirectly, with them.
What does this mean to healthcare providers in the U.S.?
OFAC has expanded its enforcement priorities toward non-bank financial service providers and non-financial services firms, such as technology, agricultural and healthcare sectors.
Since 2016, OFAC has sought investigations and penalties against healthcare companies of all sizes. Some examples include:
- United Medical Instruments Inc. ($515,400)
- World Class Technology Corporation ($43,200)
- HyperBranch Medical Technology, Inc. ($107,691)
An OFAC listed individual or entity designation has an impact on multiple industries, but since OFAC isn’t specific to just healthcare, policies for screening against its data vary across organizations. However, healthcare receives federal funding, and thus OFAC is an additional sanction list that you should add to your vendor compliance plan/program.
3. Case Study: S. Bay Mental Health Centers (and the associated PE firm)
U.S. ex rel. Martino-Fleming v. S. Bay Mental Health Centers and HIG Growth Partners, H.I.G. Capital, LLC, Community Intervention Services Holding Co, Peter Scanlon and Kevin Sheehan
This is a qui tam (whistleblower) action brought by a former S. Bay Mental Health Centers (hereinafter referred to as “South Bay”) employee involving false claims for reimbursement of services provided by unlicensed and improperly supervised social workers and counselors at South Bay. In addition, the suit involved alleged submission of false claims for reimbursement to the Massachusetts Medicaid Agency.
The defendants settled and paid $19.95 MM in reimbursements and fines, as well as $5.05 MM by two of the company’s directors and officers. This case is unique as the private equity firm that funded the purchase of South Bay facilitated, and its partners paid for part of the damages given the PE firm’s role and knowledge gained during due diligence and review of the operations and billing practices of South Bay.
The Massachusetts Attorney General had already fined South Bay $4M in February 2018. South Bay agreed to pay $4 million for its role in the scheme and entered into a five-year compliance program overseen by an independent monitor to ensure that its clinics came into full compliance with MassHealth regulations.
This action was in addition to the 2018 settlement and sought these additional actions alleging that the clinics named in the complaint suffered significant gaps in licensing and supervision of therapists during the relevant time period. The AG’s investigation revealed that South Bay had a widespread pattern of employing unlicensed, unqualified, and unsupervised staff at its mental health facilities in violation of MassHealth regulations, according to the amended complaint.
The court addressed that the PE firm and its officers and directors were aware of the Massachusetts regulations requiring certain forms of supervision and licensure/qualifications in order to bill Medicaid for the services provided by South Bay, which they owned. Further, it was determined that the PE firm members were informed that clinicians at South Bay were provided with inadequate supervision, and that because of these practices, employees were leaving South Bay.
A healthcare organization is ultimately responsible for the actions, inactions, bad actors, and billings submitted by or through its vendors or vendors’ employees, as the healthcare ecosystem of providers and vendors is intricately connected. Luckily, proper vendor monitoring doesn’t have to be a reactive process – by proactively vetting, monitoring, and continuously checking the status of the individuals and entities associated with your healthcare organization, you can rest easy knowing that fraud and civil fines and penalties will be kept at bay, ultimately, providing a safer healthcare for all.