Investments in health care providers, and companies that provide services to health care providers, require careful consideration. This issue brief explores certain regulatory compliance issues and related internal controls established through a corporate compliance program that private equity investors should consider when evaluating potential investments.

BackgroundA lack of controls to support compliance with federal and state fraud and abuse laws, including the federal Anti-Kickback Statute, Physician Self-Referral Law (Stark Law), and the False Claims Act, can result in regulatory violations and may even result in nonpayment of claims, repayment obligations, Civil Monetary Penalties (CMPs), exclusion from all Federal health care programs (including Medicare), and criminal and civil liability. Violations and overpayments may be identified through internal

auditing and monitoring, payor audits, or an investigation by a payor or government agency. Health care providers are required to report and return overpayments. Repayment obligations can result from violations such as the submission of incorrect claims, improper relationships with referral sources, or services performed on behalf of the organization by an entity or individual (e.g., employee, contractor, vendor, or volunteer) excluded from Medicare, Medicaid, or other federal health care programs. The repayment obligation is calculated to include reimbursement for items or services furnished, ordered, prescribed, or provided during periods of noncompliance. Depending on the violation and circumstances, criminal or civil fines and penalties can be imposed for each false claim or violation, as well as a civil assessment of up to three times the amount claimed. Criminal penalties may include fines or imprisonment, or both.

An organization with an effective compliance program can mitigate these risks through their efforts to prevent violations and minimize imposed fines and penalties through voluntary repayments when violations are detected and addressed internally.

Regulatory compliance considerationsRegulation and compliance Health care providers operate in a highly regulated industry. The Centers for Medicare & Medicaid Services (CMS) is a federal agency within the United States Department of Health and Human Services (HHS). CMS administers the Medicare, Medicaid, State Children’s Health Insurance Program (SCHIP), Clinical Laboratory Improvement Amendments (CLIA), and several other health-related programs.

Understanding health care provider regulatory compliance requirements and evaluating impact to deal value

An update for private equity investors

2

To prevent and detect fraud and abuse, CMS works with individuals, entities, and law enforcement agencies, including state and federal law enforcement agencies, such as the Office of the Inspector General (OIG), Federal Bureau of Investigation (FBI), Department of Justice (DOJ), State Medicaid Agencies, and Medicaid Fraud Control Units (MFCUs), among others. Commercial payors also have programs in place to detect fraud, waste, and abuse.

In 1997, the OIG began publishing compliance program guidance directed at various segments of the health care industry, such as hospitals, nursing homes, third-party billing companies, and durable medical equipment suppliers—among others—to encourage the development and use of internal controls to support adherence to applicable statutes, regulations, and program requirements.1 Guidance has also been published by the OIG and industry for health care boards of directors around their oversight responsibilities and notes the board’s role is a key component of an effective compliance program.2

The OIG believes that the adoption and implementation of voluntary compliance programs significantly advances the prevention of fraud, waste, and abuse in health care while at the same time furthering the fundamental mission of health care providers, which is to provide quality care to patients.

The need for an effective compliance program for health care organizations transitioned from voluntary to mandatory with the requirement in the Patient Protection and Affordable Care Act (PPACA) that health care providers applying to enroll as Medicare providers have a compliance program in place.

Elements of a compliance programOIG compliance program guidance recommends providers have a compliance plan that is designed to include the seven elements of an effective compliance program in accordance with the US Sentencing Commission’s Federal Sentencing Guidelines, as follows:

• Written policies, procedures, and standards of conduct

• Board oversight, compliance officer, and compliance committee

• Employee training and education

• Communication systems

• Enforcement of standards

• Auditing and monitoring

• Response and prevention

A culture of compliance should be evident by the tone at the top where compliance is actively promoted and supported by the board and senior-level executives.

An organization with an effective compliance program should routinely perform risk assessments to understand their unique risk areas, based on external regulatory focus areas and problem areas identified internally. These organizations should also routinely perform an assessment of their compliance program effectiveness either internally or through an evaluation conducted by an external law firm or consultant. Pursuant to the risk assessment, an annual compliance work plan is developed, compliance audits are conducted, and overpayments identified are refunded to the applicable payor. Corrective action plans are developed and monitored, and re-audits are completed.

Regulatory impact of noncomplianceThere are many federal and state laws and regulations impacting health care organizations. A few include:

Anti-Kickback Statute (AKS) – Prohibits knowingly and willfully offering, paying, soliciting, or receiving anything of value to induce or reward referrals or generate federal health care program business.3

Stark Law – Prohibits a physician from referring Medicare patients for designated health services to an entity with which the physician (or immediate family member) has a financial relationship unless an exception applies. Prohibits the designated health services entity from submitting claims to Medicare for those services resulting from a prohibited referral.4

False Claims Act – Imposes liability on persons and companies who knowingly defraud or cause the submission of false or fraudulent claims to governmental programs like Medicare and Medicaid.5

While CMPs are adjusted for inflation annually, the Bipartisan Budget Act of 2018 substantially increased criminal and civil penalties that can be imposed for violating laws related to federal health care programs. For example, the potential criminal fine for violating the AKS increased from $25,000 to $100,000 per violation and doubled the potential maximum prison sentence from five to 10 years. The changes appear to signal an emphasis from Congress on preventing health care fraud.

An update for private equity investors

3

Risks to evaluateWhile each type of health care company has its own unique risks, there are some risks that are commonly seen across the industry and that could be addressed by an organization with an effective compliance program. These include, but are not limited to, the following:

• Physician arrangements—inappropriate inducements to physicians in exchange for their business

• Improper beneficiary inducements (such as providing free items, or not charging patients for copayments and deductibles)

• Billing and coding errors such as: – Systematic IT billing errors – Billing for services not ordered, not performed, or not documented

– Upcoding or billing for a more complex procedure/service than provided

• Billing for services that are not covered, not medically necessary, or not ordered by a physician or other authorized individual

• History of and/or ongoing regulatory activity

• Billing for services of providers that are not properly credentialed under a different physician name

• Sales and marketing tactics that result in improper inducements

• Purchase of an entity or employment of individuals that are excluded from participation in federal or state health care programs

• Lack of refunding credit balances

• Quality of care concerns

• Failure to adhere to licensing requirements and/or Medicare conditions of participation (COPs)

• Not refunding identified overpayments

• Health Information Portability and Accountability Act (HIPAA) privacy and/or security violations

• Lack of compliance around clinical trials, including grants, billing, and patient safety

• Timely investigation of reported or suspected noncompliance or misconduct

• Resolution of identified noncompliance or misconduct

Impact on valuationUnderstanding the status of an organization’s compliance program can support an investor’s assessment of valuation of the target company. It provides the investor with the knowledge regarding whether the organization has put forth a good-faith effort to reduce the risk of regulatory enforcement actions through establishing controls and oversight to support accurate and complete billing to payors, as well as appropriate interactions with referral sources and patients. With an effective compliance program, revenue streams are supported as the organization has taken steps to reduce the risk of improper conduct, denials, repayments, fines and penalties, and Corporate Integrity Agreements, as well as reduce the risk of qui tam/whistleblower lawsuits that occur routinely in health care and are initiated by individuals, including employees who are aware of unaddressed compliance concerns.

M&A compliance diligence expectedThe US DOJ checklist for evaluation of corporate compliance programs includes three areas of compliance review related to the identification of misconduct or compliance risks during pre-acquisition due diligence, as well as post-acquisition integration activities:

1. Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally?

2. How has the compliance function been integrated into the merger, acquisition, and integration process?

3. What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities?

Pre-acquisition compliance due diligence can play an important role in creating a remediation roadmap for post-merger integration activities, enabling private equity investors to establish mitigation strategies for potential exposure that may have been identified.

An update for private equity investors

Life Sciences & Health Care M&A Transaction Services team

Phil PfrangNational Managing Partner LSHC M&A Transaction Services Deloitte & Touche LLPNew York office+1 212 436 3481ppfrang@deloitte.com

Kyle WoitelNational Tax Leader, PartnerLSHC M&A Transaction Services Deloitte Tax LLPChicago office+1 312 486 3499kwoitel@deloitte.com

Todd PierroPartnerLSHC M&A Transaction Services Deloitte & Touche LLP Parsippany office+1 973 602 5560tpierro@deloitte.com

Ben ClarkPartnerLSHC M&A Transaction Services Deloitte & Touche LLPLos Angeles office+1 213 688 4166beclark@deloitte.com

Bryan MartinPartnerLSHC M&A Transaction Services Deloitte & Touche LLPBoston office+1 617 437 2834bryanmartin@deloitte.com

Kevin SixPartnerLSHC M&A Transaction Services Deloitte Tax LLPDallas office+1 214 840 7553ksix@deloitte.com

Chris CarusoPartnerLSHC M&A Transaction Services Deloitte & Touche LLPChicago office+1 312 486 3554ccaruso@deloitte.com

James GorayebPartnerLSHC M&A Transaction Services Deloitte & Touche LLPNew York office+1 212 436 3755jgorayeb@deloitte.com

Scott VenusManaging DirectorLSHC M&A Transaction Services Deloitte & Touche LLPCharlotte office+1 704 887 1807svenus@deloitte.com

Jessica PerezPartnerLSHC M&A Transaction ServicesDeloitte & Touche LLPLos Angeles office+1 213 553 1035jessperez@deloitte.com

Christine AnusbigianSpecialist LeaderLSHC Regulatory and Operations RiskDeloitte & Touche LLPDetroit office+1 313 396 5857canusbigian@deloitte.com

Endnotes

1. Office of Inspector General, Compliance Guidance, https://oig.hhs.gov/compliance/compliance-guidance/index.asp.

2. Office of Inspector General, Compliance Resource Material, https://oig.hhs.gov/compliance/compliance-guidance/compliance-resource-material.asp.

3. Anti-Kickback Statute, 42 USC § 1320a-7b(b).

4. Stark Law, 42 USC § 1395nn.

5. False Claims Act, 31 U.S.C. §§ 3729 - 3733.

This article contains general information only and Deloitte is not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this article.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Copyright © 2019 Deloitte Development LLC. All rights reserved.

If you would like to be added to this distribution or would like to receive previous issues of our series on health care sector deal risks, please contact usmaservices@deloitte.com.

Access previous issues in this series at www.deloitte.com/us/lshcbriefs.

An update for private equity investors