The Department of Health and Human Services (HHS) Office of Inspector General (OIG) recently published a Fraud Risk Indicator and a public list that identifies “high risk” organizations on its website. Greg Demske, Chief Counsel for HHS, previously announced the Risk Indicator and the public list during a keynote speech at the September American Health Lawyer’s Association (AHLA) Fraud and Abuse Conference. The “High Risk” category is one of five that form a fraud risk spectrum. The spectrum also includes, from lowest to highest risk, a “Low Risk” (Self Disclosure), “Lower Risk” (No further action), “Medium Risk” (Under Corporate Integrity Agreements (CIAs)), and “Highest Risk” (Exclusion) category.
HHS originally set out the fraud risk categories in its April 18, 2016 exclusion criteria guidance. In deciding where an organization falls, on the risk indicator, and whether the OIG will exercise its permissive exclusion authority, the OIG takes into account four broad factors: (1) the nature and circumstances of the conduct; (2) conduct during the government’s investigation; (3) whether the entity made efforts to improve its conduct; and (4) the entity’s history of compliance. Following the 2016 Exclusion Criteria guidance, the OIG started to use a rare third option of deeming an organization as “high risk”, the category that falls between the highest risk (exclusion) and medium risk (CIAs) categories. Individuals and organizations that refuse to enter into a CIA or IA, as recommended by the OIG, will fall into the “high risk” category. However, it is rare for a provider to be deemed as such. According to a 2018 GAO report, in 2016 and 2017 combined, only 11 individuals or organizations were placed in the “high risk” category, in comparison to the 260 instances where the OIG reserved its exclusion authority, and the 42 instances where it gave a full release from its exclusion authority.
When the OIG deems an organization to be “high risk”, the entity may be subject to increased administrative actions, such as unilateral monitoring by the OIG, referrals to the Centers for Medicare & Medicaid Services contractors for claims review, or post settlement audit and investigation by the OIG. The OIG reserves the use of some of these monitoring tools for individuals or organizations in the “high risk” category because it believes that absent a CIA or exclusion there has been little mitigation of the risk that the individual or organization may engage in future fraudulent or illegal conduct. For example, in the case of CIAs, the OIG believes that the risk of future fraudulent or illegal conduct is mitigated because “persons under CIAs demonstrated responsibility for their past conduct by accepting OIG oversight.” Similarly, the risk posed by organizations or individuals who are excluded from federal health care programs is mitigated when that provider can no longer receive payment from federal health care programs. In this vein, the OIG may use its other tools to monitor “high risk” individuals and entities, in an effort to mitigate the risk of future fraudulent conduct that they may engage in.
The OIG list of “high risk” entities became available on October 1, 2018, and it currently contains the name of one organization. The list was developed in an effort to increase transparency, because unlike organizations or individuals that were on the OIG’s List of Excluded Individuals and Entities, or the CIA listing, these “high risk” individuals and organizations were previously unknown to the public. With the publication of the “high risk” list, the OIG aims to notify hiring providers and patients that these entities continue to pose a high risk, despite the fact that they are not excluded or party to a CIA.
The Fraud Risk Indicator can be found at: