On May 26, 2020 the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) published its Oversight of COVID-19 Response and Recovery Strategic Plan, identifying the agency’s four primary objectives during the Coronavirus (COVID-19) public health emergency (PHE). These goals, as articulated in the Plan, consist of protecting individuals, protecting financial resources, protecting infrastructure and promoting the effectiveness of HHS programs. The Plan indicates that enforcement activity will focus on the unprecedented funding mechanisms and regulatory flexibilities that were put in place around the COVID-19 PHE.
The Plan’s components and strategic objectives will be of special interest to healthcare providers that availed themselves of regulatory flexibilities with a reimbursement impact, or that received response and recovery funding or otherwise benefitted from the financial relief mechanisms.
Focus #1 – Protecting Individuals
OIG expressed its intent to issue guidance on the application of OIG’s administrative fraud enforcement authorities to support providers in delivering necessary patient care during the PHE. This arguably encompasses COVID-19-specific guidance issued by OIG, such as the policy statement regarding enforcement of the federal anti-kickback statute consistent with the Stark Law section 1135 waiver, and the creation of a novel “frequently asked questions” pathway to obtain OIG’s views on certain arrangements under OIG’s authorities.
OIG further announced that it plans to conduct “rapid-cycle reviews” of conditions affecting HHS beneficiaries or providers while further deploying necessary law enforcement personnel to protect HHS personnel and resources. One prominent example of this rapid-cycle review may be the “pulse survey” OIG conducted concerning hospital experiences responding to COVID-19, which received significant public and administration attention due to its negative findings.
In tandem, OIG will identify and investigate suspected fraud and other scams that jeopardize HHS beneficiaries and the public, including allegations of patient harm and testing and identity theft scams. Lastly, OIG will assess the impacts of HHS programs on the health and safety of beneficiaries and the public by conducting audits and evaluations in certain healthcare settings, such as nursing homes; HHS human services programs, such as child care programs; and other HHS operations, such as the acquisition, management and distribution of resources from the strategic national stockpile and the production, approval and distribution of COVID-19 tests, along with vaccine and treatment research and development.
Focus #2 – Protecting Financial Resources
As of mid-May 2020, HHS received $251 billion in appropriations for COVID-19 response and recovery, which includes $175 billion for the Provider Relief Fund and $76 billion for the HHS Office of the Secretary to prevent, prepare for and respond to the COVID-19 PHE. HHS also is spending a substantial amount from other appropriations for COVID-19-related activities, including increases in the federal match for Medicaid and in reimbursement for some Medicare services. Consequently, OIG has identified as a second area of focus its engagement in activities aimed to prevent, detect and remedy waste or misuse of COVID-19 response and recovery funds. These activities include conducting audits and evaluations of HHS’s oversight, management and internal controls for the award, disbursement and use of funds. Similarly, HHS intends to audit fund recipients to assess whether they appropriately met use, reporting and other requirements, and to recommend recovery of misspent funds. OIG is also prioritizing efforts to combat any fraud and abuse that diverts COVID-19 funding from its intended purpose or otherwise exploits emergency flexibilities granted to providers, as a further way to safeguard the use of government financial resources.
Focus #3 – Protecting Infrastructure
Cyberattacks against HHS, healthcare institutions and researchers have increased since the beginning of the COVID-19 PHE. In response, OIG made clear in the Plan that it is determined to combat research and intellectual property theft and protect the security and integrity of information technology (IT) systems and other healthcare technologies deployed in response to the PHE. OIG seeks to audit HHS capabilities for detecting IT vulnerabilities and identify whether known cybersecurity vulnerabilities related to networked medical devices, telehealth platforms and other technologies being used during the COVID-19 response have been mitigated. OIG also intends to investigate cybersecurity threats to, and attacks on, HHS systems and provide technical assistance to HHS to bolster and better protect its IT infrastructure.
Focus #4 – Promoting the Effectiveness of HHS Programs
In order to support the effectiveness of federal, state and local COVID-19 response and recovery efforts, OIG will conduct audits to evaluate these ongoing initiatives in order to ensure that recipients of funding achieve program goals. OIG also will identify successful practices and lessons learned from the COVID-19 response at the federal, state and local levels and make recommendations to strengthen future emergency preparedness and response. Of particular interest to providers, OIG intends to review pandemic preparedness planning to identify how preparedness funding was spent. Lastly, OIG will assess the emergency flexibilities that were authorized during the pandemic and their effects on HHS programs and beneficiaries, in order to inform program decisions after the PHE ends (e.g., impacts of expanded telehealth in Medicare during the emergency and implications for future Medicare policies).
The Plan encompasses OIG’s anticipated activity as the COVID-19 PHE becomes less acute and providers seek a return to pre-pandemic operating volumes. Providers should be mindful of the following factors in considering the Plan’s impact on their operations and compliance processes:
Increased audits and investigations are a unifying theme for OIG initiatives in the near future, particularly with respect to recipients of response and recovery funding.
Organizations receiving such funding should carefully document compliance with funding requirements and prepare for both upcoming public reporting to HHS and incoming audit requests related to such funding and such reports.
Organizations that have not carefully tracked their utilization of waivers and other regulatory flexibilities should consider doing so now, in order to prepare for any inquiries from OIG or other agencies regarding the organization’s operations during the COVID-19 PHE.
OIG’s plan also appears to contemplate increasing its “rapid-cycle” reviews, rather than relying on the more traditional audit and inspection process, which generally takes a long period of time for a report to be issued.
Organizations should be prepared for OIG contact for these reviews and for the potential consequent publicity from a quickly issued report.
Preparation should include the organization’s compliance team, counsel and leadership, with a communication process to ensure that the board or governing body is kept up-to-date on any reviews, their findings and the potential outcomes.