A Provider’s Guide to OIG Exclusions: Part 2
Federal Exclusion Regulations and Enforcement Authorities, and How Providers Can Avoid Risk with Proper Exclusion Screening–Part 2
Paul S. Weidenfeld, JD
Office Inspector General of (OIG) exclusions are one of the most powerful weapons available to law enforcement in its effort to fight healthcare fraud. Individuals and entities subject to an OIG exclusion are barred from participation in all federal healthcare benefit programs, resulting in a payment prohibition on all items and services they provide, whether directly or indirectly. Additionally, providers that employ or contract with excluded individuals or entities risk the imposition of civil money penalties, overpayment liability, and even potential exposure under the False Claims Act. However, even though OIG exclusions also are one of law enforcement’s oldest tools, many providers often fail to appreciate their compliance obligations with respect to exclusions and the risks associated with employing or contracting with excluded individuals or entities. Indeed, many providers make only minimal efforts to screen their employees and contractors to ensure compliance—and some make no effort at all. This article seeks to educate providers on the existing legal and regulatory framework, the risks and potential consequences of a failure to comply with those laws and regulations, and how best to comply and avoid those risks.
ENFORCEMENT OF OIG EXCLUSION VIOLATIONS
he Office of Inspector General (OIG) credits the 1999 Special Advisory as the “beginning” of its initiative to ensure compliance and enforcement of exclusions (2013 Special Advisory, at pg 2), but the updates to the OIG’s Self-Disclosure Protocol and its Special Advisory on the Effect of Exclusions in 2013 more accurately mark the beginning of the OIG’s focus on exclusion enforcement. Before the Special Advisory was updated, for example, the OIG routinely suggested that providers screen employees and those with whom they had contracts on an annual basis, whereas the Updated Advisory requires monthly screening of a significantly expanded universe of persons and entities. And until the OIG issued its Updated Self-Disclosure Protocol only weeks earlier, there was no established protocol for providers to self-disclose exclusion violations. Read together, and in conjunction with the investigation and repayment obligations in the Affordable Care Act (ACA), these three principles form the foundation upon which exclusion enforcement is based.
Enforcement matters come to the OIG’s attention in a variety of ways. In addition to its inherent authority to initiate investigations, the OIG receives hotline tips, referrals from its sister agencies, referrals from various CMS contractors, self-referrals from providers wishing to avoid civil monetary penalties (CMPs), and whistleblower actions, to name just some. With respect to exclusion enforcement, however, the OIG historically has relied heavily on self- disclosures. Indeed, until the 2013 Updates, the OIG rarely initiated investigations based on exclusion violations on its own. In the years leading up to the 2013 Updates, the OIG reported the following numbers of exclusion settlements based on an investigation it had initiated: seven in 2010; three in 2011; ten in 2012; and none in 2013 prior to the publication of the updates.
Since 2013, however, some change has been evident. The number of reported settlements based on OIG investigations increased to a high of 26 in 2015; both the Office of Evaluations and Inspections and the Office of Audit have reported separate “exclusion initiatives”; and in 2015, the OIG established a special litigation unit that focused on the imposition of civil monetary penalties and exclusions.
Many providers are under the mistaken impression that the OIG’s enforcement efforts are focused on physicians and other direct billers, and therefore think that their credentialing process adequately screens for exclusions. This can be a costly mistake.
Figure 1 reflects OIG enforcement efforts in cases in which the agency initiated the investigation. It shows the OIG’s focus on institutions that provide a lot of care and then submit a lot of claims for that care.
Table 1 shows that the OIG’s enforcement net extends far wider than doctors and other direct billers. Although there is an emphasis on non-billing, direct care providers, the chart shows that no position is “safe” when it comes to imposing CMPs for excluded employees.
Although the imposition of CMPs is the favored enforcement methodology, a growing number of cases involving exclusions have resulted in False Claims Act (FCA) cases and criminal convictions. For example, a joint federal/state investigation in Tennessee involving an excluded private duty nurse who worked for a home health agency resulted in a $6.5 million settlement. In addition, the OIG has brought a number of FCA cases in which the principal allegations involved businesses operated by excluded persons
Finally, recent enforcement efforts with respect to the requirement that providers ensure the exclusion status of physicians, pharmacies, and labs at the point of service have been increasing. This has resulted in a number of settlements with pharmacies based on the employment of excluded pharmacists or excluded support personnel. For example, in one of the settlements, a pharmacy chain paid $21.5 million in settlement because it had employed a large number of excluded pharmacists. States also have taken an interest in this issue; for example, the Attorney General of New York settled with a pharmacy for $442,000 to resolve allegations that the pharmacy had been fulfilling prescriptions written by an excluded physician.
AVOIDING CIVIL MONEY PENALTIES AND OVERPAYMENT LIABILITY: COMPLIANCE WITH FEDERAL EXCLUSION SCREENING REQUIREMENTS
Exclusion enforcement is based on the simple principle that providers are responsible for ensuring the exclusion status of their employees and those with whom they do business. As a consequence, claims for items or services furnished by excluded individuals or entities result in regulatory violations subject to the imposition of civil money penalties, and all federal reimbursements for such items or services violate the payment prohibition and constitute overpayments. Only proper exclusion screening can help providers avoid these risks, and this section seeks to help providers understand their federal screening obligations. Much of the content in this section relies on the guidance contained in the 2013 Special Advisory, but it relies as well on subsequent guidance issued by the OIG, and on Corporate Integrity Agreements (CIAs) that have been imposed by the OIG as part of recent False Claims Act settlements.
Which Employees Should be Screened for OIG Exclusions?
Employees must be screened for exclusions if they furnish any item or service that is payable directly or indirectly, whether in whole or in part, by a federal healthcare program. The OIG recommends the following process for providers to use in determining which employees should be screened:
Review each job category or contractual relationship to determine whether the item or service being provided is directly or indirectly, in whole or in part, payable by a federal healthcare program. If the answer is yes, then the best mechanism for limiting CMP liability is to screen all persons that perform under that contract or that are in that job category. (2013 Special Advisory, at 15-16).
Because all the relevant terms are broadly defined (see footnote 9 and pages 2 and 3, infra,) and as the process is as time-consuming and difficult to follow as it is broad, providers are best served by screening all of their direct employees unless they can identify specific employees who work in a separate, identifiable division wholly unrelated to federal healthcare programs. Caution dictates against “picking and choosing” who to screen unless a “quarantine” can be guaranteed. In addition, corporate integrity agreements include owners, officers, directors, managing employees, agents, and active medical staff as those who should be screened regardless of whether they are employed directly or indirectly.
Exclusion Screening of Vendors and Contractors
The OIG suggests that providers use the same analysis in determining “whether or not to screen contractors, subcontractors, and the employees of contractors” that it uses for its own employees. This standard is unrealistic in many circumstances, and although the OIG does not acknowledge the difficulty of its suggestion, it goes on to states that “The risk of potential CMP liability is greatest for those persons that provide items or services integral to the provision of patient care because it is more likely that such items or services are payable by the Federal health care programs.” (See 2013 Special Advisory at 16.) The dual focus of patient safety and program integrity was again emphasized in the amendment of CMP rules in 2017. The new 2017 rules are a valuable guide in determining whom to screen.
The CMP authorities in this part, as a general matter, aim to redress fraud on the federal health care programs by recovering funds, protecting the programs and beneficiaries from untrustworthy providers and suppliers, and deterring improper conduct by others. Accordingly, it is highly relevant if the conduct put beneficiaries at risk of patient harm (81 Fed. Reg. 88, 334 (Dec. 7, 2016)).
CIA’s from OIG settlements can contain indirect acknowledgments by the OIG as to the broad nature of the screening obligation is outlined in the guidance. In most of these documents, there is a specific provision stating that providers do not need to screen vendors whose sole connection to the provider is selling or providing supplies or equipment for which the vendor does not bill. This is a common-sense exception that removes uncertainty with regard to a large class of vendors who provide supplies for which the provider is ultimately reimbursed.
Applying the guidance and understanding of the concerns of the OIG, the contractors and vendors who are likely candidates for exclusion screening are those that provide the following services:
- Ambulance and other transportation service providers;
- IT solution providers;
- Security providers and their technicians;
- Medical equipment suppliers;
- Food service workers;
- Lab technicians;
- Billers and coders;
- Nurses, physicians, and other individuals provided by staffing agencies; and
- Physician groups that provide emergency room coverage.
For obvious reasons, the OIG is highly focused on screening billers and third-party billing companies. In most CIAs, OIG will only allow providers to delegate the exclusion screening function to their billing company if it does not have an ownership or controlling interest in the billing company and it certifies that the following conditions have been met:
- The billing company has a policy of not employing persons who are excluded, suspended, or otherwise ineligible to participate in Medicare or other federal healthcare programs;
- The company screens its employees upon hire and monthly thereafter against the List of Excluded Individuals/Entities (LEIE);
- The company provides proof of its screening activities; and
- The billing company provides training in the applicable requirements of the federal healthcare programs to those employees involved in the preparation and submission of claims to federal healthcare programs.
How Often Should Providers Screen?
Providers are responsible for ensuring the exclusion status of employees, vendors, and contractors at all times and at the point of service, and they should screen accordingly. Thus, exclusion screening should be performed prior to employment or to the initiation of a business relationship. Exclusion screening also should be performed without regard to the person’s status or “whether or by whom” exclusion screening had previously been performed.
In order to ensure ongoing compliance with the obligation to ensure an “exclusion free” workforce, screening also must be performed “regularly” thereafter. Providers sometimes question the necessity of ongoing screening, but the reasons for it are obvious: exclusion is not a static condition, and someone who is not excluded at the time of hire can certainly become excluded at a later date. This is particularly the case if an exclusion is based on a licensing action that was pending at the time of employment but not resolved until sometime after the employment relationship began. Also, and perhaps most importantly, regular screening is required.
Although there are no statutes or regulations that expressly state exactly what constitutes “regular screening,” the OIG has unequivocally expressed its view that monthly screening “best minimizes potential overpayment and CMP liability” (2013 Special Advisory at 15). In addition, the OIG notes that in June of 2008, CMS issued a State Medicaid Director Letter (SMDL #08-003) that provided guidance to Medicaid directors on checking providers and contractors for excluded individuals, and that CMS issued a follow-up directive in 2009 (SMDL #09-001) providing further guidance to the states and, essentially, mandating that screening be done upon hire and monthly thereafter. The OIG also notes that LEIE is updated monthly. Finally, there is the practical consideration that removing an excluded employee as soon as possible is the best action a practice can take for business.
Which Federal Exclusion Lists Should be Screened?
The OIG requires that providers screen its LEIE. It does not, however, require providers to screen the Government Service Administration’s System for Award Management (GSA/SAM), because the OIG has no authority to impose penalties or assessments based on an individual’s or entity’s inclusion on a separate federal agency’s debarment list or on a state exclusion or debarment list.
Although searching the LEIE can satisfy the OIG’s screening requirement, providers that participate in state Medicaid Programs should understand that every state has its own set of exclusion regulations and exclusion screening requirements. Indeed, at last count, 40 states had their own exclusion lists, which had to be screened in addition to the LEIE. Medicaid providers need to consult the relevant rules and regulations in the state, or states, in which they participate.
It is also noted that Section 6501 of the ACA specifically states that if a provider or entity is excluded from any state Medicaid program, then that provider or entity is excluded from participating in all state programs (42 U.S.C. § 1396(a)). Although it has not been fully settled as to how the statute will be implemented, it is worth noting and considering when determining which databases to screen. Many screening services routinely screen all such databases instead of screening individual states.
Additional Recommended Practices
The following policies and procedures are all found in either CIAs or other materials published by the OIG. They are not required, but they do reflect practices that providers might consider including as part of exclusion screening program:
- Have a provision on maintaining documentation of its exclusion screening activities in its document retention policy;
- Have a written policy requiring the disclosure of any exclusion or any other adverse action that occurs during the course of their employment, including any state exclusions, suspensions, licensing actions, revocations and debarments; and
- Have a written policy requiring employees to report the existence of any pending or proposed exclusions or adverse action that might cause an exclusion.
THE SCREENING PROCESS
How Difficult Is It to Actually Screen?
The actual process of screening employees, vendors, and contractors against the LEIE is a cumbersome one. Providers can either manually input names into the OIG website or download the entire exclusion list from the website and compare it with their employee list—but both options provide significant challenges. If a provider decides to manually input the names, for example, he or she is limited to five names or four entities at a time. Any potential match requires an additional step for confirmation, and unless the submitted name is an exact match with the name in the LEIE, it will not register as a potential exclusion. Providers that elect to download the entire list, the other option, also face serious challenges. There are over 65,000 names on the LEIE, and many providers simply don’t have the technical expertise to compare lists—particularly where the names may not result in perfect matches. In addition, the OIG requires that the screening process be documented by screenshots or otherwise, which would not be easily accomplished by either screening methodology.
Can Providers Rely on Others to Screen?
The OIG recognizes that providers will sometimes seek to delegate their screening obligation to contractors such as staffing agencies. When that occurs, the OIG again advises the provider to demand and maintain documentation that the screening was performed, and it also reminds providers that a delegation of the responsibility to screen does not equate to a delegation of the liability attached to that obligation. For example, the OIG states in its 2013 Advisory that even when a third party reliably and effectively screens for excluded individuals, those that rely on them are still “responsible for overpayments and CMPs” (at page 8).
Regardless of whether and by whom screening is performed and the status of the person . . . the provider is subject to overpayment liability for any items or services furnished by any excluded person for which the provider received federal healthcare program reimbursement and may be subject to CMP liability if the provider does not ensure that an appropriate exclusion screening was performed (2013 Special Advisory, at 16).
Does It Make Sense for Providers to Hire a Third-Party Vendor to Perform Screening?
Hiring a third-party vendor to screen for exclusions does not solve all of a provider’s screening issues and problems, but it is a relatively inexpensive alternative that solves most of them. Reputable exclusion screening vendors can do all of the work inherent in screening, including the verification of potential matches, so that providers don’t need to waste employee time manually entering tens (or hundreds, or thousands) of names. These vendors should have sophisticated software that is able to identify “potential matches” when names are not a “perfect match,” and they should also maintain records of all screening activities. Another important advantage of having a vendor perform exclusion screening is that they should be able to screen the various state exclusion lists at little or no additional cost. Finally, even though a provider cannot delegate its overpayment liability, having a third party that regularly screens all names can provide strong defenses against the imposition of any civil money penalties.
SELF-DISCLOSING EXCLUSION VIOLATIONS
The OIG’s updated Self-Disclosure Protocol issued added a new section for self-disclosing exclusion violations and a formula for calculating single damages. In addition to creating a path for self-disclosures and injecting some certainty into the process, the updated protocol clarified the OIG’s expectation that providers fully comply with exclusion regulations and its intention to enforce the exclusion regulations if providers fail to do so.
The protocol requires that providers fully investigate the matter and submit their findings in a narrative that includes the following information:
- Identification information regarding the excluded individual, including license and provider identification information (if any);
- Job duties, and their dates of service;
- A description of the screening that took place both prior to and after employment began;
- How the problem was discovered or and the corrective actions taken; and
- A calculation of the loss (see following section).
Calculation of the “Loss”
Prior to the update, calculating the “loss” for exclusion violations was particularly problematic if the employee provided services that indirectly contributed to the submission of a claim but were not billable in of themselves (e.g., nurses, surgical assistants) or if the employee provided
services that supported the organization but were not connected with any specific claims (e.g., administrative, IT, or housekeeping services). Providers were at a loss when attempting to calculate the single damages of exclusion violations associated such individuals. To calculate the loss for an excluded shift supervisor, would every service provided during every shift while the shift supervisor was employed be tainted and constitute an overpayment? How would one calculate the overpayment amount for a biller or coder, or a coding or billing supervisor?
The revised protocol directly addressed this issue of how to self-disclose by creating a simple, workable methodology that could be used to generate an amount, which would then serve as a proxy for the single damages. Specifically, the formula requires providers to do the following:
- Identify the total cost of employment for the excluded person or persons (including benefits, etc.) during the period of employment;
- Calculate the provider’s payer mix (by the unit in which the person worked if possible, or by the entire entity if not); and
- Simply multiply the cost by the federal mix.
The result can then be used as a “proxy” for the single damages and as a basis for “compromising the OIG’s CMP authority.” Because the calculation considers the contribution of the excluded employee during the exclusion period and the extent of the federal contribution to the organization, it provides a generally proportionate result in matters involving non-billing employees that provide services that contribute to claims to federal healthcare payers.
Reinstatement at the conclusion of an exclusion period is not automatic. Applications may be submitted 90 days prior to the reinstatement date. However, in many permissive exclusions, the reinstatement date is dependent on external factors that are unknown at the time of the exclusion. For example, when a person is excluded based on a license revocation, he or she is not eligible for reinstatement until he or she has regained the license referenced in the exclusion or an equivalent license in another state. Alternatively, if the person does not regain his or her license, he or she may seek reinstatement if a minimum of three years has passed and the action was not based on patient abuse or neglect (42 CFR § 1001.501(b)-(c)). An OIG exclusion based on a state healthcare program exclusion also is linked in length to that action, but a person subject to an exclusion on this basis is not eligible for reinstatement until the state exclusion is lifted—unless the basis of that action was an OIG exclusion in the first place (42 CFR § 1001.601(b)).
If the OIG determines that the provider is eligible for reinstatement, the OIG will send the provider a number of forms and releases of information to be completed, notarized, and returned. In evaluating reinstatement requests, the OIG considers the following:
- Conduct of the individual or entity prior to, and after, the exclusion;
- Whether there are reasonable assurances that the conduct that formed the basis for the original exclusion will not recur;
- Whether all fines and all debts due have been repaid or if there are satisfactory arrangements for those that have not ;
- The benefits of reinstatement to federal healthcare programs and its beneficiaries; and
- Whether CMS has determined that the individual or entity complies with, or has made satisfactory arrangements to fulfill, all the applicable conditions of participation (42 C.F.R. § 1001.3002).
Once it has completed its review, the OIG will notify the applicant of its decision. If an application for reinstatement is denied, the excluded individual or entity has 30 days to submit documentary evidence and written argument against the continued exclusion. He or she also may make a request to present written evidence and oral argument to an OIG official. After evaluating the submission, the OIG will send the provider written notice of its final decision. If the OIG confirms its decision to deny reinstatement, the decision is not subject to administrative or judicial review, and the provider must wait at least one year to submit another request for reinstatement (42 C.F.R. § 1001.3004).
The OIG has the authority to grant a “waiver” of an exclusion under certain limited circumstances as found in 42 C.F.R. § 1001.1801, et seq. The request must come from the administrator of a federal healthcare program who is “directly responsible” for administering that program under certain limited circumstances. It may not be made on behalf of someone excluded for abuse or neglect. If the request is made on behalf of a person who has been the subject of a mandatory exclusion, the administrator must determine that: (1) the individual or entity is the sole source of an essential specialized service in a community, and (2) that the exclusion would impose a hardship to the beneficiaries of that program. Requests made on behalf of persons or entities subject to a permissive exclusion must also be made by a program administrator. However, the waiver may be granted if the “OIG determines that imposition of the exclusion would not be in the public interest” (42 CFR § 10011801(c)). If a waiver is granted, it is applicable only to the program (or programs if made by more than one) for which it has been requested, and if the basis for the waiver ceases to exist, it is rescinded. The decision to grant, deny, or rescind a waiver is not subject to administrative or judicial review (§ 10011801(c)).
The primary goal of this article is to give providers a comprehensive reference guide on the existing legal and regulatory framework of OIG exclusions and the risks and potential consequences of exclusion violations, and to make suggestions on compliance strategies to avoid those risks. However, providers are reminded that there are additional good reasons for having a rigorous and effective exclusion screening program. State Medicaid programs, for example, often have screening requirements that are more rigorous than those of the OIG; and, finally, in light of the fact that almost all exclusions are imposed for reasons related to fraud, abuse, or drugs, providers should also assess the potential risks excluded entities pose to their patients and their organization.
>> Click here to read part 1 of this article!
ABOUT THE AUTHOR
REFERENCES AND ENDNOTES
 The self disclosure protocol was updated on April 17, 2013, and the Special Advisory was updated May 3, 2013.
 The Office of Evaluations and Inspections (OIG/OEI) and the Office of Audit (OIG/OA).
 The table cited is intended to be a demonstrative sample of settlements. Settlements of exclusion civil money penalty cases are reported and published on the OIG website, https://oig.hhs.gov/fraud/ enforcement/cmp/index.asp.
 Cases referenced herein have been reported and published on https://oig.hhs.gov/fraud/enforcement.
 Overpayments that are not the result of a regulatory violation can occur if a provider properly screens and an employee is added to the LEIE while employed. This would limit the overpayment and not result in a CMP.
 The updated Bulletin was issued, in part, to provide guidance “on the scope and frequency of screening employees and contractors” See 2013 Special Advisory at 1.
 CIAs are imposed by the OIG in lieu of their imposing administrative remedies in cases involving FCA investigations. As such, requirements in them are sometimes concrete examples of OIG interpretations and expectations, and therefore they can be useful as “guidance.”
 Meaning to take actions sufficient to ensure that the employee does not touch federally reimbursed services. But even if it were possible that a provider could meet this test, the scope of the payment prohibition is so broad that it is unlikely that it would be worth the effort to remove them from the screening list.
 See https://downloads.cms.gov/cmsgov/archived-downloads/ SMDL/downloads/SMD061208.pdf
 See https://downloads.cms.gov/cmsgov/archived-downloads/ SMDL/downloads/SMD011609.pdf
 In addition to meeting its regulatory obligations, a proper exclusion screening program can also provide significant benefits to compliance and risk management programs. See HCCA, Measuring Compliance Program Effectiveness: A Resource Guide (Jan. 2017), available at https://oig.hhs.gov/compliance/compliance-resource-portal/files/ HCCA-OIG-Resource-Guide.pdf.
 States, at a minimum, require that providers screen the LEIE and the state list (if there is one). However, they may also require providers to screen additional state lists and/or additional Federal debarment lists.
 The author is a cofounder of Exclusion Screening, LLC, a third-party vendor of exclusion screening services.
 See OIG’s Provider Self-Disclosure Protocol (April 17, 2013). https:// oig.hhs.gov/compliance/self-disclosure-info/files/Provider-Self- Disclosure-Protocol.pdf.
 The result is generally proportionate to the violation because of the loss increases in proportion to the employment of the excluded employee, the amount of salary paid to that person, and the payer mix of the entity. For example, the loss involving an excluded nursing aide that was discovered soon after hire by a provider with a 25% federal payer mix would be minimal compared with that involving an excluded administrator or management employee who worked for a provider with a 75% federal payer mix for a period of months or possibly even years before discovery.