Outsourcing operations can offer solutions to a variety of business challenges, particularly with respect to remote patient monitoring (RPM) and remote therapeutic monitoring (RTM) (collectively, RM) and other digital health and telemedicine companies, where services can be furnished by healthcare professionals far from the patient’s location. However, healthcare providers and investors operating in the RM, digital health, and telemedicine space should be aware of potential federal and state False Claims Act (FCA) risk in using personnel outside the United States or even in other U.S. states to furnish RM services reimbursed by Federal Health Care Programs (FHCPs). As FHCPs are so highly regulated, and FCA qui tam provisions financially incentivize whistleblowers to file complaints with the government, regardless of the merits of their allegations, improperly structuring outsourcing operations can lead to significant FCA risk.
To comply with FHCP requirements and mitigate FCA risk, parties should ensure that any individual furnishing RM services billed to FHCPs is located in the United States and appropriately licensed to provide services to patients residing outside of the state in compliance with state laws. Further, claims submitted to FHCPs must identify the accurate place of service, as FHCP reimbursement may vary depending on the location in which RM services are furnished. If a company is carving out FHCP data for domestic review while channeling other types of data internationally, legal and compliance functions should engage in appropriate oversight of the firewalls intended to separate those workflows.
Healthcare companies should also commit sufficient resources to develop an appropriate healthcare compliance program to identify and mitigate FCA and other healthcare fraud and abuse risks. One aspect of an appropriate compliance program for healthcare providers is a robust licensure committee that provides adequate oversight for the licensure of all healthcare professionals (including lower-level professionals such as technicians) in the states in which patients are served to ensure compliance with state laws and FHCP requirements. Another important component of a robust compliance program includes an auditing and monitoring function (either internal or external) that conducts, for example, periodic, sample-based audits of billing and coding data and claims form reviews for issues such as site of service. Such reviews can detect potential issues early and preserve other avenues for resolving claims that the government might identify as potential overpayments, including self-disclosure to the relevant government entity, which often results in more favorable terms of resolution.
Outsourcing and State Licensing Enforcement Example
As an example of the potential consequences related to outsourcing of RM services, in December 2022, an RM company and its subsidiaries (collectively, the Companies) paid nearly $45 million to settle allegations by the Department of Justice (DOJ) that they violated the FCA by submitting claims for reimbursement for heart monitoring tests that were furnished outside the United States, often by technicians supposedly unqualified to furnish the services. These claims are allegations only, and there has been no admission of guilt by the Companies, but DOJ’s interest in this subject further underscores the importance of rigorous compliance safeguards around the use of healthcare data transmitted internationally, particularly when furnishing services ultimately billed to FHCPs.
The Companies provide remote cardiac monitoring services via their FDA-approved wireless medical device. The device transmits patient data in real time and automatically detects arrhythmia. The data transmissions reported by the device are further analyzed and interpreted by technicians from the Companies’ independent diagnostic testing facilities (IDTFs). The IDTF technicians monitor the user’s heart activity in real time, analyze the results, and then send the final reports to the user’s treating physician.
In March 2019, two relators who were former employees of the Companies and who subsequently worked for a competitor company, filed an FCA qui tam complaint raising various allegations about how the Companies furnished cardiac monitoring services. Private individuals, who are often disgruntled former employees of a company, are financially incentivized to file such complaints. The federal FCA, for example, authorizes whistleblowers to sue in the government’s name and allege that false claims were submitted to the federal government. Whistleblowers are entitled to receive 15% to 30% of any amounts the government recovers.
In its press release announcing the settlement, DOJ alleges that the Companies contracted with an India-based company to review heart monitoring data for analytic and diagnostic purposes. The Companies also allegedly contracted with a domestic IDTF for use with FHCP beneficiaries. However, allegedly in violation of federal law that prohibits payment by FHCPs for services furnished outside the United States, the Companies began routing some FHCP beneficiaries’ data to the Indian facility once the U.S. facility became backlogged. According to DOJ, these claims were “false” under the FCA because they were ineligible for FHCP reimbursement.
Furthermore, the government alleges that most of the offshore technicians reviewing FHCP beneficiaries’ data were not certified by the appropriate credentialing body. Although the Companies implemented technological controls to prevent offshore personnel from accessing data intended for review domestically, DOJ alleges that those controls were insufficient. In addition to these allegations by DOJ, the relators in their qui tam complaint also alleged that the Companies billed for services furnished in different U.S. states than the one identified on the claim.
In addition to the settlement with DOJ, the Companies entered into a five-year corporate integrity agreement with the Department of Health and Human Services Office of the Inspector General.
Telemedicine and RM Diligence Considerations
For investors and strategic buyers of telemedicine, RPM, RTM, and other digital health businesses that depend on licensed technicians and other healthcare professionals, this recent enforcement example serves as an important reminder of the level of sophistication that should be brought to any diligence process evaluating a target acquisition or investment. In particular, buyers must be ready to “get into the weeds” on licensure, site of service, practices to complete claims forms, and historical auditing and compliance program practices to evaluate potential risks and impact on valuation and escrow strategies. Licensure and claims review can often be tedious but is an essential and early part of any successful diligence process for sophisticated buyers and investors in healthcare.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.
Attorney Advertising—Sidley Austin LLP, One South Dearborn, Chicago, IL 60603. +1 312 853 7000. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships, as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP