Marleah Kueler Grahek

Over the past year, long-term care providers have received unprecedented amounts of federal funding as a result of the COVID-19 pandemic. 

Not only do providers want to avoid recoupment of these funds, but they also want to avoid potential claims of fraud and abuse related to federal relief funds and overall compliance during the pandemic. A functioning and effective corporate compliance program can help providers mitigate these risks.

Why should long-term care providers care about COVID-19 relief funding and oversight?

The Office of Inspector General (OIG) inspecting fraud, waste and abuse claims for long-term care providers who accept funds from the federal government is nothing new, but during the COVID-19 pandemic, the OIG reported seeing a spike in the number of reports of harm and neglect in assisted living and nursing homes. Because of this, they are ramping up their encouragement of the public to come forth with concerns regarding patient safety and fraud, as portrayed in this video.

The OIG has also been given the authority by the U.S. Department of Health and Human Services (HHS) to audit providers’ use of billions (yes, billions with a “B”) of dollars in Coronavirus Relief Fund payments through the CARES Act directed at long-term care, and to recover funds in the event they determine an organization failed to comply with requirements.

How much data is really out there?

In addition to the influx in federal aid, federal oversight throughout the pandemic has dramatically increased through data mining. The federal government knows the number of COVID-19 cases in each facility through the National Healthcare Safety Network’s (NHSN) reporting, as well as providers’ adherence to infection control protocols, staff data, and cost reporting information regarding how provider funds are being allocated.

Adding to this seemingly elongating list is the proposed reporting of staff COVID-19 vaccination rates in the Centers for Medicare & Medicaid Services’ latest SNF Prospective Payment System proposed rule. In the eyes of the federal government, all of this data puts a story together on providers’ overall performance during the pandemic. If federal relief funds were accepted and providers signed the attestation agreeing to the terms and conditions, providers best have a good understanding of what those are to maintain compliance and understand the public availability of their data. How many providers accepted the money without really reading the “fine print?” My guess is too many.

How the False Claims Act impacts long-term care providers

How does The False Claims Act (FCA) come into play with all of this? When we think of false claims, our mind automatically goes to the financial operations of submitting fraudulent billing claims. However, arguably the more concerning and likely situation that may lead to false claims is embedded in the care delivery side of operations.

Providing substandard care and billing for it at the rate as if appropriate care was given is considered a false claim. In the time of COVID-19, this also means not following stringent infection control protocols while still accepting payments and claiming to be in compliance. The Department of Justice (DOJ) announced in 2020 the creation of a specialized task force to investigate “gross substandard care” in nursing homes, with both criminal and civil penalties on the table. With all of the provider information made available as a result of the pandemic, federal agencies have more tangible information over a longer period to support their position of an organization providing “gross substandard care.”


Another significant concern arising for long-term care providers as a result of the pandemic is that of the whistleblower. The FCA allows individuals with knowledge of fraudulent activity to become whistleblowers and bring suit against a provider on behalf of the government. Anyone with knowledge of fraud can bring a whistleblower lawsuit under the FCA, but it is by far most commonly employees.

If the suit is successful, the whistleblower can be entitled to up to 30% of any money recovered in the case, therefore, there is a heavy incentive for people to blow the whistle. By accepting funds, providers consented to HHS publicly disclosing the payments received from the Relief Fund. I like to think the best of people, but we all know 30% of those sums of money providers received could be quite tempting.

OSHA’s role in oversight

We already mentioned HHS, OIG, DOJ, and CMS, but let’s bring another regulatory agency into the picture, shall we? The Occupational Safety and Health Administration (OSHA)’s Whistleblower Protection Program already enforces twenty whistleblower statutes protecting employees from retaliation for reporting violations. They have now been tasked with overseeing worker retaliation complaints under two new Whistleblower Statutes. 

In addition, OSHA released their COVID-19 National Emphasis Program (NEP) on March 12, 2021, for which they will be targeting establishments where employees have a higher risk of contracting COVID-19 (including long-term care), as well as focusing on retaliation against employees who report safety and health concerns. We have a real regulatory agency smorgasbord here, don’t’ we?

How an effective corporate compliance plan can help 

Have I sufficiently made you paranoid between the data mining, whistleblowers, false claims, and the government’s tightening grip around our industry? If so, that is not the intent here. These are issues that may seem far away at an individual provider level, but these areas of organizational risk pose a significant harmful impact if they were to come to fruition.

It is becoming increasingly important to have internal systems in place at an organizational level to help mitigate compliance risks, and that is where a corporate compliance program comes in.

Corporate compliance is the use of internal controls to adhere to statutes, regulations and program requirements at an organizational level. It is a system of policy and procedure management, identifying and assessing organizational risk, proactively auditing these areas of risk within our departments, and continuous monitoring efforts to keep organizations operating at a pristine level of compliance. It is the system of how top leadership up to the governing body keeps a pulse on operations and holds them accountable. Referring back to the areas of risk discussed above (and beyond), a solid corporate compliance and ethics program is the best tool in your tool belt to ensure overall organizational compliance.

Corporate compliance is not a new concept, but how many organizations are actually utilizing a living, breathing corporate compliance program in their risk mitigation efforts? Many providers have a corporate compliance policy that checks a box for regulatory compliance but are not doing anything with it.

I was completely guilty of that in my years as a nursing home administrator. I did not understand until I started seeing things from this side of the equation as a risk manager just how essential and beneficial it can be when done right.

It is better to have a policy that meets the minimum requirements and do those things well (or to have no policy at all, frankly) than to have a comprehensive policy and not do anything with it. Even providers who are not bound to have a corporate compliance program, such as assisted living, should consider the benefit of the internal controls it can provide for maintaining organizational compliance.

Corporate compliance assists with communication 

As providers, we need a system in place to ensure the CEO and Board of Directors are aware of any significant issues going on in the organization, and corporate compliance is a means to accomplish this. With an effective corporate compliance program in place, the CEO and Board of Directors cannot just turn a blind eye to what is going on in the organization and are held accountable for overall compliance efforts. As a provider, ensure there is a clear system of what situations need to be escalated to the C-suites. It is when this line of communication is broken that significant organizational issues result.

Not only does corporate compliance address communication to top organizational leadership, but also communication throughout the organization as a whole. Is there a system in place for staff to follow regarding concerns of fraud and abuse? Does this include an anonymous method of reporting? Are those tasked with responding to concerns held accountable for doing so timely, thoroughly, and without any hint of retaliating against reporters? A specific policy and procedure addressing whistleblowers and anti-retaliation and protecting their anonymity is strongly encouraged and should be included in the corporate compliance plan.

Much like a hazard vulnerability assessment for emergency preparedness, a corporate compliance program should also undergo an assessment of risk. Use this assessment information to concentrate compliance efforts to the highest likely events with the highest potential organizational impact.

Oftentimes we get so stuck in the mindset of abiding by regulations that we do not think about the other parts of compliance — abiding by the law, Medicare and Medicaid program rules, and fraud and abuse claims. Operating ethically and responsibly also strengthens provider reputations within their communities, leading to census stabilization and growth. The systems needed to have a strong corporate compliance program go hand in hand with strong workplace culture, leading to staff retention. And, of course, providing the best quality of services we can while being financially sustainable.

Marleah Keuler Grahek is a risk manager at M3 Insurance, and former nursing home administrator. In her current role, Marleah works with long-term care providers to identify and develop risk management programs surrounding workers’ compensation and liability exposures.

The opinions expressed in McKnight’s Long-Term Care News guest submissions are the author’s and are not necessarily those of McKnight’s Long-Term Care News or its editors.