How to secure funding today and protect yourself from CARES Act enforcement actions tomorrow.
- $100 billion in CARES Act funding is being channeled through the Public Health and Social Services Emergency Fund (PHE Fund) to reimburse eligible providers for COVID-related expenses and lost revenue.
- Organizations that use these funds should anticipate future governmental scrutiny, as the Inspector General of the Department of Health and Human Services (HHS) must conduct an audit within three years.
- Organizations must comply with HHS Terms & Conditions which may change at any time.
- Reviewing and understanding CARES Act oversight mechanisms and requirements to demonstrate compliance is the key to avoiding future enforcement actions.
- Maintaining sound business practices and documentation are critical to validate compliance for audits.
- Certain “good faith certifications” are allowable under particular HHS funding programs, but self-certifications are a prime area for investigation and audits.
The CARES Act includes an initial $100 billion fund intended to support health care providers. Channeled through the Public Health and Social Services Emergency Fund (PHE Fund), this money will reimburse eligible providers for “health care related expenses or lost revenues that are attributable to coronavirus.” These funds are intended to stabilize finances as hospitals face short term revenue reductions due to the cessation of elective procedures and increased costs for items like personal protective equipment (PPE) and personnel. Congressional leadership has indicated it may consider increasing available funds, but even at current levels, these funds are unprecedented and equivalent to approximately one month of total U.S. hospital operating revenues.
While there is some confusion as to what constitutes allowable uses for funding (e.g., construction costs, leases, medical supplies, and some personnel costs), one thing is certain – the use of these funds will be subject to future governmental scrutiny, as the Inspector General of the Department of Health and Human Services (HHS) must conduct a full audit within three years. Given the size of the distribution (over $2 trillion dollars), there is a high probability of future enforcement actions.
Recently, HHS made important additional announcements about the use of funds that have current implications for healthcare organizations and healthcare compliance programs. After initially choosing not to create a COVID-19 special enrollment period (SEP) in the healthcare.gov platform, HHS announced that a portion of the PHE Fund will now “cover providers’ costs of delivering COVID-19 care for the uninsured.” As such, the fund will pay uninsured costs at Medicare rates, and providers may therefore not bill uninsured patients for the balance. In other words, “balance billing,” a known healthcare compliance issue, will likely continue to be a primary area of focus for future audit scrutiny. HHS also recently announced that they would also be immediately routing $30 billion from the fund to hospitals to be allocated in proportion to Medicare revenue, so it will be critical to ensure that Medicare revenue is accurately reported.
Despite the evolution of terms and conditions of accepting these HHS funds and remaining questions regarding allowable uses, there is no doubt about the need to demonstrate and apply sound compliance oversight of all CARES Act funding processes and internal controls from application to allocation to required quarterly reporting to mitigate the potential risk of future enforcement actions.
Beware of Possible Impacts From 21st Century Cures Act HHS-OIG Amendments As a potential bellwether of things to come, healthcare boards, senior executive leadership and healthcare compliance officers should be aware of recent and seemingly unrelated proposed HHS-OIG amendments related to the 21st Century Cures Act and OIG enforcement, as these proposed changes may impact future CARES Act enforcement activities.
On April 24, 2020, HHS and the Office of the Inspector General (HHS-OIG) issued a proposed rule to amend the agency’s civil monetary penalty (CMP) rules addressing three key areas related to the 21st Century CURES Act which could have an impact on future CARES Act enforcement. As proposed, this HHS-OIG Notice of Proposed Rulemaking (NPR) seeks to broaden the authority of HHS-OIG oversight over CMPs, assessments and exclusions in the event of fraud and other misconduct related to HHS grants, contracts, and other agreements. A summary of the (3) HHS-OIG NPR proposed amendments and CMP implications are provided below (emphasis added):
- Amendment of the Civil Monetary Penalties Law (CMPL), 42 U.S.C. § 1320a-7a, by the 21st Century Cures Act (Cures Act), authorizing HHS to “impose CMPs, assessments, and exclusions upon individuals and entities that engage in fraud and other misconduct related to HHS grants, contracts, and other agreements.”
- Amendment of the Public Health Service Act (PHSA), 42 U.S.C. § 300jj-52, by the Cures Act, authorizing HHS-OIG to “investigate claims of information blocking” and providing the Secretary of HHS (Secretary) authority to "impose CMPs for information blocking.”
- Proposed increase in penalty amounts under the CMPL, effected by the Bipartisan Budget Act of 2018 (BBA 2018).
While these proposed amendments do not explicitly address the CARES Act and other COVID-centric relief funding, it should be noted that the HHS-OIG proposed rule amendments could easily be expanded to apply to CARES Act grants, contracts, and other agreements provided by HHS under the CARES Act in connection with the COVID-19 public health emergency. For example, in the initial disbursement of the CARES Act Provider Relief Fund, HHS delivered $30 billion to eligible providers. However, HHS conditioned the payment on the provider signing an attestation accepting the Terms and Conditions, which requires providers to submit a quarterly report accounting for use of the funds. Based on the proposed rule, it would appear that HHS-OIG potentially could impose a CMP, assessment, and exclusion on a provider who “knowingly makes, uses, or causes to be made or used, any false statement, omission, or misrepresentation of a material fact” in the required quarterly report for the CARES Act Provider Relief Fund. Therefore, within a False Claims Act context, provider organizations must be diligent in understanding how evolving statutory and regulatory requirements associated with the receipt and allocation of HHS funding in one program may create future risk in similar funding programs.
2008 Financial Crisis Sheds Light on Government Enforcement of Stimulus Money From a historical context, healthcare providers can also look to the governmental enforcement response following the 2008 Troubled Asset Relief Program (TARP). During the financial crisis of 2008, the TARP stimulus provided $700 billion of stimulus money into the economy. After the TARP stimulus fund infusion, over a of decade of criminal and regulatory enforcement actions followed, resulting in hundreds of criminal convictions and billions of dollars of financial penalties. The CARES Act distribution significantly dwarfs the TARP stimulus in size and scope, so future enforcement activity could well exceed that seen post TARP.
How Can Healthcare Providers Avoid Future Enforcement?
- Review and understand CARES Act oversight mechanisms and what is expected to demonstrate compliance with the Terms & Conditions of CARES and other COVID-centric funding allocations.
- Understand the role of The Special Inspector General for Pandemic Recovery (SIGPR) in providing audit and investigations related to CARES Act loans and investments.
- Ensure that required funding documentation is securely retained to support attestations, certifications and quarterly reports.
Take Steps Now to Ensure Compliance and Minimize Future Risk to Your Organization Due to the unprecedented magnitude of funds disbursed under the CARES Act and other HHS COVID-centric funding allocations, healthcare providers should anticipate active future audit scrutiny from HHS-OIG. Follow these sound business and compliance practices to reduce your risk:
Application. Ensure your application is complete and organizational data substantiates what you certify and attest to in applications and quarterly reports.
Diligent Oversight. The board, senior executive leadership and compliance must be able to demonstrate appropriate oversight of funds, and not just a “rubber stamp” review. Documentation such as Board meeting minutes will be scrutinized carefully during the audit process. The board, senior leadership and compliance must review, approve and demonstrate oversight of the funds allocations and processes and document oversight of any issues to resolution.
Compliance History. Ensure any current enforcement or known compliance issues are addressed as these data can be scrutinized during future audits.
External Advisory and Assurance Support. Seek objective third-party risk/gap assessment assistance from trusted compliance, legal and accounting experts to ensure you are complying with all HHS CARES Act Terms and Conditions and that all required documentation validates compliance. Obtaining validation from third-party review can help provide additional supportive documentation of compliance during future audits.
Accounting, Finance and Banking Practices. Strictly follow all standard accounting, finance and banking procedures and regulations when setting up and managing dedicated CARES Act bank accounts for audits and to avoid intermingling funds with other accounts.
Grant and Funds Management. Follow your standard compliance processes for grant and funding management and ensure appropriate levels of sign-off are documented at each level within the allocation process.
Vendor Management and Procurement. While the Secretary of the U.S. Department of Health and Human Services has allowed for expedited procurement and granted certain waivers, vigilance in vendor management is expected. Vendors must still be appropriately vetted and contracting done in accordance with allowable practices. Determination of Medicare exclusion is still an expectation for example, as is oversight of the contracting and vendor management process. All quotes, purchase orders, invoices, and related procurement data as pertains to HHS funding allocations must be appropriately maintained.
During this time of unprecedented distribution of HHS funds related to the CARES Act and COVID-centric HHS funding, it should surprise no one that there will be future compliance and regulatory audits with a high potential for enforcement actions. Your board, senior executive leadership and healthcare compliance officers should review existing business processes, practices and internal controls regarding HHS funding. Seeking objective, third-party review where indicated will help identify strengths and opportunities to improve your controls and equip you to conduct focused reviews to demonstrate diligence as well as mitigate your risk of future enforcement actions.