Health Headlines – September 30, 2024

DOJ Releases Updated Version of Evaluation of Corporate Compliance Programs Guidelines – On September 23, 2024, DOJ announced updates to its Evaluation of Corporate Compliance Programs guidelines (Guidance).  The updates are the latest in a series of updates (including in 2019, 2020, and 2023) since DOJ first released the Guidance in 2017.  The Guidance is used by prosecutors to evaluate corporate compliance programs in the context of criminal investigations.  The updated Guidance, while largely unchanged overall, includes additions that focus on emerging risk factors identified by DOJ to account for changing circumstances.  The additions, which fall into three main areas, include: (i) an evaluation of how companies assess and manage risk related to new technologies such as artificial intelligence (AI); (ii) a set of questions to evaluate whether companies are encouraging employees to report misconduct; and (iii) an assessment of whether compliance programs have appropriate access to data to evaluate corporate risks and compliance program effectiveness.

The first area of updates in the Guidance involves evaluating how companies assess and manage risk around AI and other new technologies.  As stated in the Guidance, “[w]here relevant, prosecutors should consider the technology—especially new and emerging technology—that the company and its employees are using to conduct company business, whether the company has conducted a risk assessment regarding the use of that technology, and whether the company has taken appropriate steps to mitigate any risk associated with the use of that technology.”  The Guidance poses several questions for compliance program officers to consider in working to manage emerging risks to ensure compliance with the law, including:

• Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management (ERM) strategies?
• How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program?
• How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
• How does the company train its employees on the use of emerging technologies such as AI?
• How quickly can the company detect and correct decisions made by AI or other new technologies that are inconsistent with the company’s values?

The second area involves asking questions to determine whether companies encourage employees to report misconduct and whether companies engage in practices that chill reporting of potential noncompliance.  One particular measure of interest to the DOJ is how a company assesses its employees’ willingness to report misconduct.  A related point of emphasis is the importance of a company’s commitment to whistleblower protection and anti-retaliation.  Key questions on this point include: (1) whether a company trains employees on both internal anti-retaliation policies and external anti-retaliation and whistleblower protection laws; and (2) whether employees who report misconduct internally are disciplined the same as employees involved in the misconduct who did not report it. 

The third area assesses whether compliance personnel have knowledge and access to data resources that help measure a compliance program’s efficiency and effectiveness.  The Guidance asks how a company is managing the quality of its data sources and how the company is measuring the accuracy, precision, or recall of data analytics models it uses.  The Guidance also inquires whether a company allocates assets, resources, and technology to compliance and risk management functions at a level that is proportionate to other areas of the company. 

Finally, DOJ continues to emphasize the importance of being proactive about risk management.  The Guidance includes new language instructing prosecutors to consider whether a company’s approach to risk management is proactive or reactive.  To ensure risks are well-managed, companies should strive to be able to demonstrate that they can proactively identify potential misconduct or compliance program issues as early as possible. 

A copy of the Guidance is available here.  The meaning of “artificial intelligence,” as used in the Guidance, is set forth on pages 26-27 of a White House OMB memo that is available here.

Reporter, Doug Comin, Atlanta, +1 404 572 3525, dcomin@kslaw.com.

OIG Report Concludes That CMS Needs to Strengthen its Oversight of Remote Patient Monitoring -- On September 24, 2024, OIG released a report recommending that CMS exercise additional oversight of remote patient monitoring (RPM) services provided to Medicare beneficiaries. Medicare reimburses RPM for any chronic or acute condition. OIG issued the report in response to the significant uptick in the use of RPM in recent years with an expectation of expanded use in the Medicare population in the coming years.

Medicare initiated separate payments for RPM, also known as “remote physiologic monitoring,” in 2018 and increased RPM usage quickly followed.  As defined in the report, RPM is “the collection and transmission of health data in a patient’s home that providers use to remotely monitor a patient’s health status and manage a patient’s condition.”  In order to qualify for reimbursement tied to RPM services, a Medicare enrollee must have an acute or chronic condition that requires monitoring, use an internet-connected device, and the device must collect and transmit health data a minimum of 16 days every 30 days.  

Medicare metrics tied to new patient use of RPM, existing patient period of use of RPM, and Medicare reimbursement all increased significantly in 2022 as compared to 2019.  For example, in 2019, about 55,000 Medicare enrollees received RPM services for an average use less than 3 months, and Medicare payments were around $15 million.  In contrast, in 2022, about 570,000 Medicare enrollees received RPM services for an average use of five months (more than ten times the number of enrollees than in 2019), and Medicare payments totaled $300 million (double in average payment per enrollee than in 2019).

However, with the increase in Medicare dollars spent on RPM, OIG expressed concern about compliance associated with the services and the three main components: education and setup, device supply, and treatment and management.  OIG found that about 43% of Medicare patients did not receive all three components of RPM.  About 28% of enrollees never received education, and about 23% never received a device. Additionally, 12% of patients did not receive the third component, treatment management. Treatment management is at least 20 minutes of management services for a patient’s treatment plan, including at least one conversation between the provider and the patient. The lack of treatment management indicates that the patients may not have received the full benefits of monitoring or that the monitoring may not have been medically necessary. Although CMS does not require providers to bill for all three components, the percentage of enrollees who did not receive all three components raised concerns.

OIG also expressed concerns regarding the lack of data collected related to RPM services such as information on who ordered or delivered the services. OIG recommended that CMS take the following steps to strengthen oversight of RPM:

1. Implement additional safeguards to ensure that RPM is used and billed appropriately in Medicare. Specifically, OIG recommended that CMS conduct periodic analyses to identify providers who frequently bill for enrollees who did not receive all three components of RPM and conduct follow-up with those providers. Moreover, OIG said that CMS should confirm that Medicare is only paying for RPM that is appropriate. CMS should conduct an analysis to identify providers who frequently submit Medicare claims with diagnoses codes that do not represent a chronic or acute condition. OIG also suggested that CMS work with Medicare Advantage plans to ensure that they have appropriate safeguards in place.
2. Require that RPM be ordered and that information about the ordering provider be included on claims and encounter data for RPM. OIG advised that CMS require that provider identification numbers be included on claims and encounter data for RPM.
3. Develop methods to identify what health data are being monitored. OIG recommended that CMS implement methods to collect more information on the types of monitoring that it is paying for, such as the creating of new procedure codes or collecting information on devices.
4. Conduct provider education about billing of RPM. For example, OIG stated that CMS could issue provider education materials that summarize billing guidelines, contain information about the use of RPM, and highlight the important coordinating RPM information with the enrollees’ other healthcare.
5. Identify and monitor companies that bill for RPM. OIG recommended that CMS develop a method to identify companies that specialize in RPM and monitor the companies to ensure compliant billing. Currently, Medicare does not have a way to identify companies that specialize in RPM and does not consider RPM companies to be a type of provider.

OIG’s latest report is not the first time that the agency has raised concerns regarding RPM. Recently, in a November 2023 Consumer Alert, OIG raised concerns about companies registering Medicare enrollees for RPM through unsolicited contact, but then failing to provide RPM services. However, the recommendations in the more recent report may require notice and comment rulemaking or other forms of guidance from CMS. Providers who offer RPM services should continue to monitor CMS guidance for new requirements.

The full report is available here.

Reporter, Priya Sinha, Atlanta, +1 404 572 3548, psinha@kslaw.com.