Tricky regulations stir up questions about what constitutes overpayment and when disclosure is needed
If there is insufficient address information for the individual, you also must post the breach on your Web site or publish it with major print or broadcast media. Additionally, you must notify the secretary of Health and Human Services (HHS).
If the breach involves more than 500 individuals, the notice must be sent immediately to HHS and will be posted on the HHS Web site. If the breach concerns fewer than 500 individuals, then you may submit an annual log of the breach with all other breaches you may have experienced in that year.
Perhaps the most significant disclosure requirement facing providers today is when to disclose overpayments, wrongful billing, noncompliance, or fraud of the Medicare and Medicaid programs, including the wrongful employment of excluded persons, and the anti-kickback statute and physician anti-referral laws (Stark laws). Due to the evolving nature of these laws, providers and compliance officers are challenged every day to determine when and to where to disclose noncompliance.
OVERPAYMENT GRAY AREA
For example, the 1998 OIG SDP set forth how to disclose a problem with Medicare billing that is significant enough to be a violation of the law. The question remains as to the gray area between what constitutes an overpayment and when a matter requires self-disclosure. To further complicate the matter, the OIG in 2006 and 2008 encouraged providers to use self-disclosure protocol (SDP) for Stark violations.
However, in 2009, the OIG stated that the SDP should only be used for a Stark violation if there is also an anti-kickback violation. There appears to be no formal process for disclosing Stark violations, which do not have an anti-kickback violation. Government representatives recently suggested at a national conference that these claims can be brought to your U.S. Attorney. Unlike the SDP, there is no protocol to assist a provider with the process and the possible outcomes related to self-disclosure.
If you become aware of a breach of privacy or any of the billing regulations, including fraud and abuse and Stark, evaluate all of your options regarding disclosure. Always conduct a thorough investigation and audit of the situation under the attorney/client privilege in order to fully assess the penalties that may be imposed. Research any possible laws, rules, regulations, or guidance that might help your position concerning perceived noncompliance.
Anthea R. Daniels is a Calfee, Halter & Griswold LLP partner.