Monthly Newsletter

The May Newsletter topic is "Risk Management"

This issue provides information to a free HIPAA risk management video, an update from CMS on interoperability compliance and proposed prior authorization for drugs, and the impact of and how to avoid whistleblower situations in your organization.

The landscape of qui tam litigation is evolving, with a significant increase in cases where the government declines to intervene, meaning whistleblowers are increasingly driving high-stakes litigation on their own.

This makes it essential for organizations to not only focus on compliance but also to take internal complaints seriously and handle them properly to avoid retaliation claims.

In 2026, the DOJ is signaling that voluntary self-disclosure, cooperation, and swift remediation are rewarded, emphasizing that organizations must be prepared to demonstrate proactive compliance and rapid, organized investigation protocols if a suit is filed.  Enjoy this issue and free educational articles posted on the AIHC Blog.

Risk Management Under the HIPAA Security Rule

New Free Video

The Office of Civil Rights (OCR) recently release a video intended to raise awareness and provide practical education to Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates of the HIPAA Security Rule’s Risk Management requirement. Effective risk management is an essential component of both HIPAA Security Rule compliance and broader cybersecurity preparedness. Click Here for the 48-minute OCR Video.

CMS Interoperability Compliance Update

CMS updated the 2026 CMS Interoperability Standards and Prior Authorization for Drugs Proposed Rule (CMS-0062-P) webpage with related resources to help you learn more, including:

• Federal Register link to the rule: Submit comments by June 15
• Fact sheet
• Press release
• Technical workflows: Visual guides to assist with the technical implementation of the proposed National Council of Prescription Drug Programs standards and existing Payer-to-Payer and Prior Authorization Application Programming Interfaces
• Proposed metrics summary: Detailed information regarding the new proposed reporting metrics
• Summary of proposed provisions: High-level overview of the key proposals introduced in the rule
• Town Hall presentation and recording (April 16, 2026)

Impact of Qui Tam (Whistleblower) Cases

In Fiscal Year 2025, the U.S. Department of Justice (DOJ) reported a record-breaking $6.8 billion in False Claims Act (FCA) recoveries, with over $5.7 billion stemming from health care fraud, marking the highest amount in history. Major qui tam settlements (whistleblower lawsuits) accounted for over $5.3 billion of this total, driven by 1,297 new filings.

Whistleblowers generally receive between 15% and 30% of the government's recovery, with recent cases paying tens of millions to whistleblowers, including $24.3 million in a single case reported by the Justice Department. 

Healthcare Qui Tam Settlements Examples:

• Kaiser Permanente Affiliates ($556 Million):   Resolved allegations that the healthcare consortium submitted invalid diagnosis codes for Medicare Advantage Plan enrollees and pressured physicians to add risk adjustment diagnoses.
  • Whistleblowers were awarded $95 million.
  • The civil settlement includes the resolution of certain claims brought in lawsuits under the qui tam or whistleblower provisions of the False Claims Act by Ronda Osinek and James M. Taylor, M.D., former employees of Kaiser.
• Community Health Network ($345 Million): In early 2025, Indianapolis-based Community Health Network Inc. agreed to a massive $345 million settlement to resolve False Claims Act allegations.
  • The case, led by a former CFO, alleged that the network violated federal and state laws, including the Anti-kickback Statute, by overpaying physicians and overpaying for real estate.
• Aetna Insurance ($117.7 Million):  2026 Settlement was made to resolve the allegation that Aetna submitted inaccurate and untruthful patient diagnosis data to CMS in order to inflate the risk adjustment payments it received from CMS, failed to withdraw the inaccurate and untruthful diagnosis data and repay CMS, and falsely certified in writing to CMS that the data was accurate and truthful.
  • Aetna Inc., a national insurer incorporated under the laws of Pennsylvania, has agreed to pay $117,700,000 to resolve allegations that it violated the False Claims Act by submitting or failing to withdraw inaccurate and untruthful diagnosis codes for its Medicare Advantage Plan enrollees in order to increase its payments from Medicare.
  • The settlement in this case provides for the whistleblower, a former Aetna risk-adjustment coding auditor, to receive a $2,012,500 share of the settlement amount.

Whistleblowers generally receive between 15% and 30% of the government's recovery, with recent cases paying tens of millions to whistleblowers, including $24.3 million in a single case reported by the Justice Department.

As demonstrated above, qui tam cases typically focus on violations of the Anti-Kickback Statute (paying for referrals), Stark Law (physician self-referral), and fraudulent billing (upcoding or billing for unnecessary services).  Which leads us to the next topic, being proactive to AVOID whistleblowing!

Proactive Defense: Avoid Qui Tam Lawsuits

Qui tam lawsuits, filed by whistleblowers under the federal False Claims Act (FCA), are a primary tool used by the Department of Justice (DOJ) to combat healthcare fraud.  A large percentage of qui tam cases are filed by former or unhappy employees who first tried to raise issues internally. There are 2 points to remember:

1. Don't Shoot the Messenger: When employees raise concerns, they should be listened to and the issues investigated.
2. Conduct an Internal Investigation: If a complaint is made, investigate it immediately with the help of counsel to maintain privilege. If the complaint is valid, fix the issue and repay any overpayments (the "60-day rule"). There should be zero tolerance related to retaliation. Inform employees of the results of the investigation and the company's action plan, when possible, but at least provide a general explanation to the reporter. Many qui tam suits are avoided by providing feedback on the company’s internal investigation.

For healthcare organizations of all sizes, avoiding these costly lawsuits requires a proactive compliance strategy that fosters a culture of integrity rather than mere adherence to rules. By implementing robust internal reporting systems, conducting regular audits, and addressing employee concerns internally, organizations can mitigate risks of being reported to federal authorities.

Be Proactive - Establish a Robust Compliance Culture

The best defense against a qui tam case is a strong internal compliance culture that makes a whistleblower lawsuit unnecessary. Adopt the OIG’s Seven Elements of an Effective Compliance Program: written policies, compliance leadership, training, open communication, auditing, enforcing standards, and prompt response.

Establish effective reporting channels. Create multiple, anonymous, and confidential channels (e.g., hotlines, compliance officer access) for employees to report concerns.   When encouraging individuals to come forward, it won’t work unless there is a strictly enforced policy prohibiting retaliation. FCA retaliation claims are often easier for employees to win than the underlying fraud claims.

Risk Areas to Monitor and Audit

Organizations must specifically target areas of high liability based on recent enforcement trends, such as:

• Medicare cost report errors: The 2025 OIG audit found errors or inconsistencies in 100% of reviewed cost reports (122 out of 122) handled by a Novitas.
• Stark Law & Anti-Kickback Statute: Scrutinize physician financial relationships. Any compensation that is not at fair market value or induces referrals is prohibited.
  • CMS settled 244 self-disclosures in 2025 via the Self-Referral Disclosure Protocol (SRDP), totaling over $20.3 million. AKS FCA cases yielded over $5.3 billion (over 77% of total recoveries), driven heavily by whistleblower actions in 2025.
  • Speaker Programs & Marketing: Continued focus on AKS violations regarding payments to physicians.
• Medical Necessity & Billing: Frequently audit documentation to ensure services are medically necessary. A "worthless service" or excessive treatment is a major source of qui tam cases.
• Upcoding and Unbundling: Monitor coding practices to ensure they accurately reflect the patient condition. "Upcoding" to increase reimbursement is a common allegation.
• Cybersecurity Compliance: Ensure that cybersecurity systems meet the standards promised in government contracts; failures here can now trigger FCA liability.
  • The Department of Justice's (DOJ) Civil Cyber-Fraud Initiative, launched in 2021, uses the False Claims Act (FCA) to hold government contractors, including healthcare organizations, liable for failing to meet cybersecurity standards promised in contracts.
  • In 2026, cybersecurity compliance is a core component of FCA enforcement, especially for providers receiving federal funds, as this allows for treble damages and penalties for knowingly submitting false claims.
  • HIPAA Penalties (2026): Maximum penalties for HIPAA violations increased, with maximums reaching $73,011 per violation and annual caps at $2,190,294.

Civil Monetary Penalty (CMP)

Based on inflation adjustments (utilizing a 2026 cost-of-living multiplier), the penalties for FCA violations have increased:

• Minimum FCA Penalty: Increased to $14,308 per claim.
• Maximum FCA Penalty: Increased to $28,619 per claim.

These updated amounts apply to penalties assessed on or after the effective date in 2026 for violations that occurred after November 2, 2015.  In addition to these per-claim penalties, violators are still liable for treble damages (3x the government's loss).

Conclusion

How to Earn .25 Continuing Education Unit by reading the Monthly Newsletter

• Login as a Member
• Click on My Renewals from your DashBoard
• Click on FREE CEUs for your next credential renewal!