Criminal and Civil Liability of Coders
HIPAA Says It’s a Matter of Truth or Consequences
By David M. Vaughn, JD, CPC
Most of you are probably aware that 10 years ago Congress passed the Kassebaum-Kennedy bill—known commonly as the Health Insurance Portability and Accountability Act (HIPAA). What you may not, but should, know is that HIPAA didn’t start out as a privacy statute, but rather a health care fraud and accountability statute.
New Health Care Sanctions
Numerous new health care sanctions have been implemented under HIPAA, the primary ones being:
- Amending the Civil Monetary Penalties Act under 42 U.S.C. 1320-7a(a) to increase the civil monetary sanctions from $2,000 to up to $10,000 per false claim;
- Broadening the definition of a “knowing” false claim under the civil False Claims Act to include not just actual knowledge, but also deliberate ignorance of the truth and reckless disregard of the truth; and
- Adopting a criminal health care fraud statute, 18 U.S.C. 1347, which states it is a federal felony to defraud “any health care benefit program.”
The effect of these three enactments makes it easier for the government to prove civil fraud, obtain higher penalties for civil fraud, and criminally prosecute providers and their staff for defrauding not only government insurers, but also commercial insurers.
Ignorance Is Not Bliss
To make it easier for the government to prove a civil false claim, the burden of proof is no longer actual knowledge, but mere “reckless disregard.” In one case in which I was involved, the U.S. Attorney’s Office took the position that reckless disregard was established by the following:
“… the provider had knowledge of appropriate billing codes and procedures as indicated by the presence of both ICD-9-CM and CPT® manuals on the shelves of his office;”
“… this evidence is bolstered by the provider’s receipt of monthly Medicare and Medicaid bulletins, copies of which were located in his office;”
“… they knew where to get any questions about billing policies and procedures answered by Medicare, Medicaid or Blue Cross/Blue Shield;” and
“… the provider became aware of questions surrounding his billing practices, yet made no attempt to voluntarily disclose the overbilling nor did he attempt to reimburse Medicare, Medicaid, or BCBS.”
It’s a good guess that all provider offices have CPT® and ICD-9-CM coding manuals and payer newsletters. Does this mean that all providers have prior knowledge when filing a claim that is false? The only recourse would be if the provider could prove none of these three sources addressed the claim in question. Moreover, how many providers fail to repay over-coded claims after they learn of it? To the government, failure to repay after gaining knowledge demonstrates intent to convert, and can be construed as criminal intent to defraud.
Case In Point
Not only did HIPAA make it easier for the government to prove there is a false claim, but it also increased the possible damages from $2,000 to $10,000. For example, in one reported case against a psychiatrist, United States v. Krizek, 859 F.Supp. 5 (1994), the government sued the psychiatrist for $81 million, based on 8,100 false claims multiplied by $10,000 per false claim. The psychiatrist only billed one code incorrectly, but the government claimed it was billed incorrectly 8,100 times.
Not only did the HIPAA make it easier to prove civil fraud, and increase civil fraud penalties, but it also allowed federal indictments for defrauding commercial payers. I have reviewed numerous indictments in which neither Medicare nor Medicaid was the aggrieved payer, but rather Blue Cross, or CIGNA, or Aetna. Indeed, BCBS is one of the most aggressive investigators and referrers of fraud in my experience. I also find that BCBS audits providers more often than any other commercial payer. So, the days of billing cautiously to Medicare, but aggressively to commercial payers are over.
How does all this apply to coders, office managers, or other non-providers? Simply, even though it’s the provider’s name on the claim form, everyone who took part in the claim may be liable civilly or criminally. Consider the following scenarios:
- United States v. Krizek, 859 F.Supp. 5 (1994). The government sued both Dr. Krisek and his wife as well, since she was in charge of billing.
- U.S. v. Singh, (U.S.D.C., NY, 2003). The government indicted both the physician, Dr. Singh, as well as his coder, Toni Coons, for allegedly improperly upcoding claims and improperly billing incident to claims.
- U.S. v. Stevens (W.D. KY, CV 1:04-CV-77-M). In a qui tam case, the whistleblower sued the physician, his wife who was the office manager, and the biller for conspiring to bill the United States incorrectly.
Just last year, the Attorney General of Florida arrested the biller in a dentist office for allegedly fraudulently billing Medicaid.
The authority for these civil and criminal cases against billers and coders is based on language similar to that used in the federal health care fraud statute which states, “Whoever knowingly and willfully executes, or attempts to execute, a scheme or artifice to defraud any health care benefit program…” (emphasis added).
While it is true that the mere knowledge of a crime is generally not a crime, if the biller or coder performs any act in furtherance of the improper billing — including being in a position to, but not stopping the improper coding or billing — the government can consider that a crime. The bottom line is that in today’s environment, once the coder learns of improper coding or billing, he or she must advise the employer, request them to cease improper billing, and if they refuse, terminate employment. In other words, it’s a matter of truth or consequences.