Mintz Levin Health Care Reform Practice


May 6‚ 2011

ACO Fraud and Abuse Provisions

By Brian P. Dunphy and Ellyn L. Sternfield

On March 31, 2011, a little over a year after the Patient Protection and Affordable Care Act (PPACA), as amended by the Health Care and Education Reconciliation Act of 2010 (collectively, the ACA), became law, the Centers for Medicare & Medicaid Services (CMS) released proposed regulations (the Proposed Rule) addressing the operation and structure of Accountable Care Organizations (ACOs) and creating the Medicare Shared Savings Program (the Program).1  The arrangements that may be necessary or desirable to form ACOs and to participate in the Program raise new fraud and abuse concerns. Providers will need to understand and address the fraud and abuse provisions of the Proposed Rule in order to assure initial and ongoing compliance. The deadline for submitting comments on the proposed regulations is June 6, 2011.

A previous Mintz Levin advisory addressed the fact that, as part of the Program, CMS and the Office of Inspector General (OIG) for the Department of Health and Human Services (HHS) anticipate waiving certain existing federal fraud and abuse laws for qualifying participating ACOs.2  While much attention has been given to these anticipated waivers, the Proposed Rule itself contains its own fraud and abuse provisions that, if implemented, will not be subject to waiver.

Program Integrity Requirements for ACOs

In the Proposed Rule, CMS proposes “several program integrity criteria to protect the Shared Savings Program from fraud and abuse and to ensure that the Shared Savings Program does not become a vehicle for, or increase the potential for, fraud and abuse….” 3  These proposed requirements include compliance plans, certifications of compliance and the accuracy of information, conflict of interest policies, ACO screening, and the prohibition of certain required referrals and cost-shifting.

Compliance Plans

An ACO must have a compliance plan that addresses how the ACO will comply with applicable legal requirements. CMS has proposed that an ACO may build on an existing compliance plan or coordinate compliance with compliance efforts of providers/suppliers, and notes that the design and structure of the plan can vary depending upon the size and business structure of the ACO. The ACO must demonstrate that it has a compliance plan with at least the following elements:

·         a designated compliance official who reports directly to the ACO’s governing body;

·         mechanisms for identifying and addressing compliance problems;

·         a method for employees or contractors of the ACO or ACO providers/suppliers to report suspected problems related to the ACO;

·         compliance training of the ACO’s employees and contractors; and

·         a requirement to report suspected violations of law to an appropriate law enforcement agency.4

Compliance with Program Requirements

An ACO is responsible for compliance with all terms and conditions of its agreement with CMS, an obligation complicated by the potential number of relationships within an ACO. Toward that end, CMS has proposed that ACO executives and ACO participants, such as individuals, entities, contractors, or subcontractors, must make various certifications of compliance, including the following:

·         an ACO executive must certify the accuracy, completeness, and truthfulness of information in the Program application, agreement, and quality data;

·         an authorized representative “must make a written request to [CMS] for payment of the shared savings in a document that certifies the ACO’s compliance with Program requirements as well as the accuracy, completeness, and truthfulness of any information submitted by the ACO, the ACO participants, or the ACO providers/suppliers”; and

·         an “ACO participant, individual, entity, contractor, or subcontractor must similarly certify the accuracy, completeness, and truthfulness of the data and provide the government with access to such data for audit, evaluation, and inspection” if that data is generated by the entity.5

Conflicts of Interest

CMS has proposed that the ACO’s governing body have a conflicts of interest policy requiring members of the governing body to disclose relevant financial interests.

Screening of ACO Applicants

ACOs are not enrolling in Medicare and thus will not be subject to the Medicare screening process. However, CMS is considering screening ACOs based on their “program integrity history” during the Program application process, and is accepting comments on the screening process.

Prohibition on Certain Required Referrals and Cost-Shifting

CMS expressed concern, especially if patients are assigned to ACOs prospectively, that “ACOs or ACO participants may offer or be offered inducements to overutilize services or to otherwise increase costs for Medicare or other federal health care programs with respect to the care of individuals who are not assigned to the ACO under the Shared Savings Program.”6 As a result, CMS may prohibit “ACOs and their ACO participants from conditioning participation in the ACO on referrals of federal health care program business that the ACO or its ACO participants know or should know is being provided to beneficiaries who are not assigned to the ACO.” 7 Enforcement of the Physician Self-Referral Law (the so-called Stark Law) has long been an area of focus for enforcement authorities, and independent of future fraud and abuse waivers, ACO referrals/cost-shifting may similarly become an enforcement focus.

Provisions for Monitoring/Terminating ACOs

CMS has also proposed routine monitoring of ACOs to determine if they are complying with Program requirements.8 CMS will routinely monitor ACOs by analyzing financial and quality data, conducting site visits, assessing and investigating beneficiary and provider complaints, and conducting audits.9

Given this monitoring, record retention will be extremely important, and ACOs must carefully preserve records and assure that ACO participants, ACO providers/suppliers, and other contracted entities performing services and functions on behalf of the ACO likewise comply with record retention requirements. Further, these entities must grant HHS, the comptroller general, the federal government, or their respective designees access to their books and records “sufficient to enable the audit, evaluation, and inspection of the ACO’s compliance with the Shared Savings Program requirements and the ACO’s right to any shared savings program.” 10

Because CMS has taken the view that, even though ACOs are comprised of many entities, the ACO has the ultimate responsibility for compliance with the terms and conditions of its agreement with CMS, including the record retention requirement. An ACO must be vigilant about record retention and assure that contracts with its participants, providers/suppliers, and other entities require compliance regarding record retention. The ACO may also want to assure that such contracts provide it with the ability to audit, evaluate, and inspect the party’s records so that it can assure compliance.

CMS has proposed to specifically monitor the following:

·         Avoidance of At-Risk Beneficiaries. CMS will monitor ACOs (through analysis of claims and beneficiary level documentation) for avoidance of “patients at-risk.” 11  CMS may take corrective actions against ACOs that are found to have engaged in such conduct, including termination where necessary.

·         Compliance with Quality Performance Standards. CMS will review the ACOs’ submission of quality measurement data to identify ACOs that are not meeting the quality performance standards.12 If an ACO fails to meet “the minimum attainment level for one or more domains, CMS proposes to give the ACO a warning and to reevaluate it the following year.”13 If an ACO fails to report any quality measures, CMS will send the ACO a written request for the data and require the ACO to provide a reasonable written explanation for its delay. CMS may immediately terminate the ACO for failing to report quality measures if the ACO fails to report by the requested deadline and does not provide a reasonable explanation for delayed reporting.14

Penalties and Termination of an ACO Agreement

CMS has defined the proposed penalties for ACOs, which include termination from the Program. The Proposed Rule lists many examples of bases for termination, including avoidance of at-risk beneficiaries, failure to supply required information, violations of fraud and abuse laws, and the use of false information. However, before terminating an ACO (particularly for violations that are “minor in nature and pose no immediate risk or harm to beneficiaries or impact on care”), CMS, in its sole discretion, may provide a warning notice to the ACO of the specific performance at issue, request a corrective action plan (CAP) from the ACO, or place the ACO on a special monitoring plan.15, 16

Other Fraud and Abuse Provisions

Although not specifically identified as fraud and abuse provisions, other portions of the Proposed Rule have fraud/abuse implications. The fact that ACOs will be required to provide Tax Identification Numbers and National Provider Identifier Numbers for all ACO professionals will have the effect of screening out ACO use of excluded providers.17 The mandated CMS preapproval process for all marketing materials, communications, and activities related to an ACO and its participation in the Program extends to advertisements, mailings, brochures, web pages, telephone calls, outreach, and community events, and is intended to protect beneficiaries from exposure to fraudulent or misleading materials.18

The extent of the fraud and abuse waiver in the final rule will necessarily affect the extent to which compliance with the regulations may become a basis for proceedings under the federal False Claims Act (FCA),19 including potential qui tam filings. As noted earlier, the Proposed Rule contains numerous provisions requiring ACOs to certify compliance with various Program requirements to access shared savings, making it an open question as to whether any alleged false certifications may be actionable as false claims under the FCA.

Further, while the proposed fraud and abuse waivers may provide ACOs some comfort under federal law, the extent to which the final regulations will preempt state enforcement, especially under state Consumer Protection/Unfair Trade practices statutes, remains unclear. The Proposed Rule contains multiple provisions requiring information to be provided to beneficiaries as to the services to be received through the ACO. Federal preemption of state claims is not automatic in a Medicare-funded program.20 If an ACO fails to provide the beneficiary the represented services, that failure may be actionable as a violation of the state statutes.

While OIG officials have signaled that they expect the final standards for fraud and abuse waivers in the rule will be applied consistently across all entities,21 few other details have seeped out. Clients seeking further information about federal and state fraud and abuse enforcement authorities and their potential impact on ACOs should contact the authors or their Mintz Levin attorneys.

* * *


Medicare Program; Medicare Shared Savings Program: Accountable Care Organizations, 76 Fed. Reg. 19537 (April 7, 2011).

Roy M. Albert, Thomas S. Crane, and M. Daria Niewenhous, CMS and OIG Issue Notice, Solicit Comments Related to Waivers of Fraud and Abuse Provisions for Accountable Care Organizations, April 6, 2011.

76 Fed. Reg. at 19551.

76 Fed. Reg. at 19552.

See note 4 above.

See note 4 above.

Id. at 19952–53.

76 Fed. Reg. at 19624.

See note 8 above.

10  76 Fed. Reg. at 19625.

11  In the Proposed Rule, CMS offered a definition of “patients at-risk” to mean patients “who have a high risk score on the CMS–HCC risk adjustment model, are considered high cost due to having two or more hospitalizations or emergency room visits each year, are dually eligible for Medicare and Medicaid, have a high utilization pattern, those who have one or more chronic conditions … or beneficiaries who have a recent diagnosis … that is expected to result in an increased cost.” 76 Fed. Reg. at 19625.

12  76 Fed. Reg. at 19626.

13  See note 10 above.

14  See note 12 above.

15  If an ACO were under a CAP for avoiding at-risk beneficiaries, it would not receive shared savings payments while it is under the CAP regardless of the period of performance in question, and the ACO would not be eligible to earn any shared savings for the period during which it is under the CAP. 76 Fed. Reg. at 19625.

16  76 Fed. Reg. at 19624–26.

17  76 Fed. Reg. at 19563–64.

18  See note 3 above.

19  31 U.S.C. §3729 et. seq.

20  Ackermann v. United Healthcare Service Inc., Civil Action No. 3:08CV718TSL-JCS, 2009 WL 1769393, *2 (S.D. Miss. June 23, 2009) (remanding state law claims alleging fraudulent Medicare Advantage Program enrollment to state court, as such were not preempted). See also Do Sung Uhm v. Humana, Inc., 620 F.3d 1134, 1152–53 (9th Cir. 2010) (dismissing state consumer protection case against a Medicare Part D provider, over failure to exhaust the CMS administrative process and because the plaintiffs’ state claims were preempted under the Medicare Act).

21  See Vicki L. Robinson, OIG senior advisor, Comments during BNA Webinar: Proposed ACO Rule, Risks & Challenges for Compliance Officers (Apr. 28, 2011).