Executive Summary

• The Coronavirus Aid, Relief, and Economic Security (CARES) Act and the Paycheck Protection Program and Health Care Enforcement Act provided a total of $175 billion to eligible healthcare providers for reimbursement of healthcare-related expenses and lost revenues attributable to COVID-19.
• Receiving federal stimulus money comes with government oversight to prevent fraud and ensure the funds are not misused or wasted. Federal officials will have authority to audit recipients, claw back improperly used relief funds, and prosecute violations.
• Healthcare providers should establish a risk management program to prevent, detect and remediate fraud, waste, and abuse, and should: (i) conduct a risk assessment; (ii) establish procurement controls and financial controls; (iii) incorporate forensic review; (iv) conduct internal audits; and (v) provide training to relevant personnel.

Introduction

The healthcare industry is at ground zero amidst the COVID-19 pandemic, faced with severe financial operating distress, even bankruptcy, all while trying to save lives. Hospitals and health systems have canceled profitable elective surgeries in response to local and state mandates designed to reduce COVID-19 transmission and meet the demand of infected patients. Shortages of medical and testing supplies have led bad actors to try to capitalize on the crisis.

The federal government has taken various steps to provide much needed assistance to care providers. These steps include the passage of the CARES Act, the Paycheck Protection Program and Health Care Enforcement Act, the activation of Federal Emergency Management Agency (FEMA) disaster relief programs, and similar programs overseen by the Department of Housing and Urban Development and Department of Health and Human Services (HHS).

History has shown that this type of immediate and direct access to massive amounts of federal funds brings the risks of fraud, waste, and abuse, eroding the purpose of funding relief and hampering reimbursements. Officials have already referenced concerns about these risks, estimating that at least 10% of the total aid could be lost to fraud, equating to tens of billions of precious dollars. News reports have highlighted schemes, including price gouging and the passing off for sale of substandard equipment, which are not only fraud but also safety issues endangering the lives of patients.

As with the Troubled Asset Relief Program, the CARES Act establishes a number of oversight bodies (i.e., the Special Inspector General for Pandemic Recovery, the Pandemic Response Accountability Committee, and a Congressional Oversight Commission) to monitor use of relief funds, investigate potential fraud, waste, and abuse, and potentially claw back improperly used relief funds. In addition, the Attorney General and Deputy Attorney General have directed United States Attorneys offices to prioritize the investigation and prosecution of coronavirus-related fraud schemes and “appoint a Coronavirus Fraud Coordinator to serve as the legal counsel for the federal judicial district on matters relating to the coronavirus, direct the prosecution of coronavirus-related crimes, and to conduct outreach and awareness.”

Mitigating the Risk

To guard against the risk of fraud, waste, and abuse and prepare for audit and oversight, it is vital that healthcare organizations implement a robust system of controls built on a framework of prevention—the first line of defense to protect your organization; detection—assessing whether your preventive controls are effective; and remediation—addressing weaknesses identified during the detection phase or otherwise. These controls include:

• Management of internal risk. Conducting an assessment and, as necessary, enhancing the controls an organization has in place to manage relief funds are important first steps to effective relief funds management. One of the conditions out-of-network providers must agree to is they will not seek collection of out-of-pocket payments from any COVID-19 patients that are greater than what a patient would otherwise have paid if the care was provided by an in-network provider.

• Procurement controls. A well-designed and effectively operating control environment relating to procurement of goods and services is the first line of defense against fraud, waste, and abuse.

Effective procurement controls should include a due diligence process for suppliers, vendors, and contractors and processes to protect the integrity of the supply chain from bribery, corruption, conflicts of interest, and the theft of supplies and resources.

Recipients of relief funds must agree to the terms and conditions set forth by HHS, which include stipulations that the payments received will only be used to prevent, prepare for, and respond to COVID-19 expenses or lost revenues that are attributable to this pandemic. Organizations should have a systematic way to account for these expenses and lost revenues.

• Financial controls. Well-designed and executed financial controls guard against fraud, waste, and abuse. They protect the integrity of the accounting and reporting of relief funds and promote management accountability of how the funds are spent.

An effective financial controls environment should include appropriate segregation of duties regarding procurement, payment processing, recordkeeping, and reporting. Inventory, costs, and pricing controls should also be in place to protect against price gouging.

Effective financial controls and systems will allow healthcare providers to estimate and collect their portion of stimulus funding. To address the immediate need for funding, general distribution to Medicare facilities and providers has been allocated based on eligible net patient revenue. The ability to calculate this will enable healthcare providers to understand how much they can claim and, more importantly, be able to receive this funding in an expedited manner with a level of certainty of what is their appropriate share of the stimulus.

• Forensic review. Providers should conduct regular testing, comprehensive reviews, and risk-based analytics. Such strategies help to detect, identify, and protect against the mismanagement of relief funds and intentional efforts to circumvent established controls, which can lead to improper and fraudulent payments. These reviews should focus on vendors, suppliers, contractors, beneficiaries of funds, and employees, as applicable.

Relief funds recipients are required to maintain appropriate records and cost documentation and be able to produce supporting documentation of the disposition of the funds for a minimum of three years. Providers receiving funds should be prepared to be subject to an audit where the government will dig deep into their financial records and systems to find supporting documentation for expenditures related to equipment, medicines, vaccines, and even temporary structures created.

• Internal audit and investigations. A robust internal audit process will help identify and remediate any potential anomalies or control weaknesses. In addition, a vigorous investigation process can help organizations effectively address indicators or allegations of illegal or unethical conduct.

The COVID-19 pandemic will likely be classified as extraordinary and rare, meaning that information such as the identification of patients treated may have to be produced to support expenses. This highly sensitive information needs to be maintained and protected due to privacy concerns, and providers should have the appropriate safeguards in place to ensure that their systems are safe and secure so they can protect patients’ privacy.

• Training. It is vital that all relevant personnel (vendors, suppliers, contractors, and employees, as applicable) receive training for conduct and expectations relating to relief funds.

Employees responsible for receiving relief funds should be well-versed in what qualifies as an expense or cost to which relief funds can be allocated. These employees should also be trained and aware of certain limitations on the use of relief funds, such as lobbying expenses or embryo research, to name a few. The front-line employees responsible for receiving the funding and payment of costs can act as the best mechanism of defense for any government inquiry only if they are trained properly on what is acceptable and what is not.

• Public accountability and transparency. The public has an expectation that organizations that receive relief funds operate with transparency with respect to their use and management of the funds. Organizations receiving in excess of $150,000 are required to submit a report to the Pandemic Response Accountability Committee that includes the total amount of funds received, the manner in which those funds were spent, and certain details such as the estimated number of jobs created or retained by the use of the relief funds.

Protecting Clients in Times of Crises

Pillsbury and Guidehouse are uniquely positioned to help healthcare organizations ensure that they have the proper control environment relating to the application for and use of relief funds.

Guidehouse has a long history of providing consulting and advisory services to the healthcare industry, as well as significant experience helping clients develop, document, operationalize, and implement controls to demonstrate prudent use of government funds in response to various natural and manmade disasters, including 9/11, the 2008 financial crisis, and Superstorm Sandy. For more information, please visit: www.guidehouse.com.

Pillsbury’s Health Care Industry team combines extensive industry knowledge, legal and regulatory experience, and litigation prowess to provide comprehensive service to those in the health care sector, and our COVID-19 Response Team has been leading the legal industry in providing critical guidance to clients during this urgent and quickly evolving crisis. For more information, please visit www.pillsburylaw.com.

For additional questions, please contact one or more of the authors.