Law360 (March 3, 2021, 5:20 PM EST) --
But recently the DOJ has openly acknowledged that it has increasingly begun to leverage the government's own insider information, in the form of running sophisticated data analytics on federal health care program billing and claims data "to identify trends and extreme outliers." The DOJ's fiscal year 2020 fraud statistics certainly bear this out, revealing a steep increase in the number of DOJ-initiated FCA suits last year.
Data analytics is hardly foreign to health care companies. They have long employed data defensively, for example to contradict the government's theory of causation in an FCA case, and the government's own compliance guidance recommends data analytics as part of routine internal monitoring and auditing.
Yet the DOJ's acknowledgment that it has begun to use health care industry data offensively brings new urgency to the question of how savvy health care industry participants can defensively deploy their own data to identify potential problems through internal investigations before they become part of government investigations.
Although the strategies discussed below focus on addressing provider billing risk areas, particularly relating to pandemic regulatory flexibilities, a range of entities across the health care industry will be targeted through the DOJ's new data analytics initiative and as a result could benefit from first putting their own data under internal review.
For example, the DOJ has recently made public statements describing its greater use of drug and device manufacturers' open payments data to assess potential violations of the Anti-Kickback Statute. Many health care and life sciences companies have robust processes in place to address employees potentially becoming whistleblowers, but now they should also carefully assess the stories their data will tell to the government.
One of the areas most ripe for a wave of enforcement aided by data analytics is the billing flexibilities offered by the Centers for Medicare & Medicaid Services during the COVID-19 public health emergency.
CMS used every tool at its disposal to give the health care industry an unprecedented degree of flexibility to facilitate continuity of care for federal health care program beneficiaries. By issuing dozens of blanket waivers under Section 1135 of the Social Security Act, CMS was able to waive temporarily the application of a host of CMS regulations and statutory provisions.
CMS supplemented these waivers with four interim final rules with comment, each announcing a new set of billing flexibilities and pandemic-related requirements such as those relating to infection control. Along the way, CMS issued multiple new enforcement discretion policies.
The shifting regulatory landscape creates new challenges for providers also fighting on the front lines of COVID-19. Furthermore, when providers are suddenly allowed to engage in previously forbidden billing practices, it becomes more difficult for them meaningfully to assess their own trends or outlier status.
But providers do not have to sit and wait in the dark, more ignorant than the government of what their data show. Providers can take steps to analyze both their own and publicly available data to understand areas where their billing patterns could appear to be outliers or have deviated from prior trends in ways that are inconsistent with even the more flexible set of rules in effect during the pandemic.
Areas to focus on initially could include aspects of the provider's business where the government has loosened up billing practices over time, particularly due to temporary pandemic-related billing flexibilities, or areas that a provider has previously not spent substantial time auditing.
Providers should understand any significant events that occurred during the period of analysis, either provider-specific (e.g., expansion in capacity) or industrywide (e.g., postponement of elective procedures due to the COVID-19 public health emergency). These contextual events will both highlight areas appropriate for a closer look and, later in the process, affect conclusions that can be drawn from the data.
Providers with rapid swings in how they bill for care may wish to select these areas for further review, recognizing that thoughtful analysis is necessary to understand the cause of those new trends. In many ways, the public health emergency has caused major disruptions to how providers deliver care, which will complicate a provider's data analytics.
Even within a provider organization, responses to these challenges can manifest in varying ways across departments and may have altered operations for peer providers in very similar or drastically different ways — factors that will also be important to keep in mind later, during the data analysis phase.
Prior enforcement actions also provide a guide to identifying metrics likely to be of interest to the government. Indeed, some enforcement actions set out specific details concerning allegations of health care fraud and how it was detected.
The most relevant metrics for each provider will depend on the types of care delivered, but regardless of provider type, metrics chosen for analysis should be comprehensive and representative of the provider's health care services both from a financial and delivery-of-care perspective.
Examples of relevant metrics include the average claim amount, the mix of procedures performed by the provider, the proportion of highly reimbursed procedures and the annual number of claims per beneficiary.
After determining metrics of interest, the next step is for providers to take stock of the data available within their organizations that is capable of supporting robust analyses of these metrics.
In particular, a provider should carefully consider any data that could form the basis for government scrutiny, such as detailed billing records of claims submitted for Medicare reimbursement as well as materials that may have been part of a CMS or U.S. Department of Health and Human Services Office of Inspector General audit.
If a provider's data are fragmented across multiple systems, for example due to a series of prior acquisitions, now may be the time to invest in an integrated solution. Otherwise, data shortcomings not only handicap a provider's ability to engage in robust data-driven compliance monitoring but, from the government's perspective, may also harm the provider's credibility when describing its commitment to compliance during a future enforcement action.
Once providers have isolated the most relevant datasets, they can review trends and look for deviations within their own organization. Subgroup analysis is a useful tool for larger organizations; for example, the metrics can be stratified and compared by department and physician.
Additionally, shifts in trends over time can be assessed and flagged for further qualitative evaluation. For example, Medicare-payable telehealth services vastly expanded due to actions taken by CMS to offer temporary flexibility to providers.
Before COVID-19, there were only 15,000 fee-for-service Medicare beneficiaries receiving weekly telehealth services. Between mid-March and mid-October 2020, over 24.5 million fee-for-service Medicare beneficiaries received telehealth services.
Providers that have taken advantage of this new flexibility could analyze quarterly claims per beneficiary, including both in-person and telehealth services. This metric could then be compared before and after the billing flexibilities were put in place for Medicare beneficiaries.
The hypothesis is that the overall level of care would be the same over time but the mix of telemedicine and in-person care would be different. However, if the average claims per beneficiary rapidly increased after the billing flexibilities were put in place, the provider would want to further assess causation.
After assessing patterns within the provider's organization, the metrics can be benchmarked against peer providers using publicly available data. Any outliers may be appropriate candidates for more detailed auditing, including medical record review.
Finally, after engaging in data analyses, providers will need to consider next steps. In some cases, additional training or process changes may be necessary. Depending on the results, self-disclosure and administrative repayment to the Department of Health and Human Services may also be appropriate.
Brenna Jenny is a partner at Sidley Austin LLP. She was principal deputy general counsel at HHS and chief legal officer at CMS until January 2021.
Mihran Yenikomshian is a vice president and Paul E. Greenberg is a managing principal at Analysis Group.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 Remarks of Deputy Assistant Attorney General Michael D. Granston at the ABA Civil False Claims Act and Qui Tam Enforcement Institute (Dec. 2, 2020), https://www.justice.gov/opa/speech/remarks-deputy-assistant-attorney-general-michael-d-granston-aba-civil-false-claims-act.
 Civil Division, DOJ, Fraud Statistics, https://www.justice.gov/opa/press-release/file/1354316/download.
 DOJ Criminal Division, Evaluation of Corporate Compliance Programs (June 2020), available at https://www.justice.gov/criminal-fraud/page/file/937501/download.
 See, e.g., DOJ, Press Release, Dermatology Physicians and Practice to Pay $1.9 Million to Settle False Claims Act Investigation into Overbilling Medicare for Evaluation and Management Services (Apr. 18, 2016), https://www.justice.gov/usao-ndga/pr/dermatology-physicians-and-practice-pay-19-million-settle-false-claims-act.
 CMS, Press Release, Trump Administration Finalizes Permanent Expansion of Medicare Telehealth Services and Improved Payment for Time Doctors Spend with Patients (Dec. 1, 2020), https://www.cms.gov/newsroom/press-releases/trump-administration-finalizes-permanent-expansion-medicare-telehealth-services-and-improved-payment.
For a reprint of this article, please contact firstname.lastname@example.org.