HHS-OIG Proposes New Regulations Expanding CMP Authority
Two weeks ago, I posted a blog about a recent False Claims Act (FCA) settlement at the intersection of healthcare and procurement fraud. In early March, I wrote about FCA and compliance issues involving electronic health records systems (EHRs). Now the Department of Health and Human Services Office of Inspector General (HHS-OIG) is expanding its enforcement efforts in both of these areas.
On April 24, 2020, HHS-OIG published a proposed rule that would expand its civil monetary penalty (CMP) authority. The proposed rule, (1) modifies 42 CFR §§ 1003 and 1005 to expand CMP authority to fraud and misconduct involving HHS “grants, contracts, and other agreements” pursuant to the 21st Century Cures Act (Cures Act); (2) provides HHS-OIG the authority to investigate and impose CMP penalties for information blocking pursuant to § 3022 of the Public Health Services Act (PHSA); and (3) increases the amounts of certain CMPs pursuant to the Bipartisan Budget Act of 2018 (BBA).
The first change broadens the current scope of CMP authority beyond traditional healthcare fraud. Historically, HHS-OIG has used the CMP law to levy penalties and exclusions for fraud on federal healthcare programs – Medicare and Medicaid in particular. Under the proposed rule, HHS-OIG could investigate misconduct involving HHS grants, contracts, and other agreements as well. This would include instances where a party (1) knowingly presented a false claim; (2) knowingly made a false statement, omission, or misrepresentation in an application, bid, etc., in order to receive funds; (3) knowingly made or used a false record or statement material to a claim; (4) knowingly made or used a false record or statement material to an obligation to pay funds; (5) knowingly concealed or avoided an obligation to pay funds; or (6) failed to grant HHS-OIG timely access to records for an audit or investigation of the subject grant or agreement.
The proposed rule, (1) modifies 42 CFR §§ 1003 and 1005 to expand CMP authority to fraud and misconduct involving HHS ‘grants, contracts, and other agreements’ . . . (2) provides HHS-OIG the authority to investigate and impose CMP penalties for information blocking . . . and (3) increases the amounts of certain CMPs . . . .
The second change expands HHS-OIG’s CMP authority to information blocking. Information blocking is any practice that “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).” The proposed rule would authorize information-blocking investigations of (1) developers of health IT; (2) entities offering certified health IT; (3) health information exchanges; and (4) health information networks, but would not apply to most healthcare providers, who are subject to sanctions under other provisions. The proposed rule lists a number of factors HHS-OIG will consider in investigating and imposing CMPs for information blocking.
Finally, the proposed rule would increase the amounts of certain CMPs under the regulations in accordance with the BBA. For example, a violation of 42 U.S.C § 1320a-7a(a) that carried a $50,000 maximum CMP would have a $100,000 maximum CMP. Violations of 42 U.S.C. § 1320a-7a(b) that had a $5,000 max CMP would see that bumped up to $10,000. FCA penalties are regularly adjusted upward in a similar manner.
The first two changes in particular are significant. While HHS contractors and grant recipients are already subject to FCA liability in many cases, the CMP expansion would provide additional avenues for investigation and enforcement by “the largest grant-making agency” in the country. Investigations that might be delayed or declined in an overburdened U.S. Attorney’s Office, or may not meet its monetary threshold, may see renewed focus from HHS-OIG.
Moreover, as HHS-OIG acknowledges in the proposed rule, “information blocking is newly regulated conduct” and “some individuals and entities subject to information blocking CMPs may not be familiar, or have limited experience, with OIG’s enforcement authorities . . . .” Still, HHS-OIG considers information blocking to have significant negative effects on “patient safety, care coordination in the healthcare system, and the ability of patients and providers to have information to make informed, appropriate decisions about important healthcare decisions.” HHS-OIG will not initiate information-blocking enforcement efforts until 60 days after the final rule issues, but EHR developers and other healthcare IT companies should begin reviewing their systems now to ensure compliance. HHS-OIG may want to set some precedents and demonstrate that it is serious about information blocking soon after that 60 days expires.
Comments on the proposed rule are due June 23, 2020.