Bass, Berry & Sims attorney Julia Tamulis prepared the following content with BDO Director, Chad Krcil and BDO Managing Director and National Leader, Patrick Pilch.

Under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), the federal government is delivering a significant influx of money to the healthcare industry, particularly healthcare organizations, to aid in the response to the unprecedented public health emergency (PHE) due to the COVID-19 pandemic. Healthcare organizations must handle the funds in a compliant manner or risk ongoing and costly government scrutiny.

Accessing and Managing CARES Act Funding

The CARES Act has set aside $100 billion in emergency relief administered by the U.S. Department of Health and Human Services (HHS) through the Public Health and Social Services Emergency Fund. The fund can be utilized to support COVID-19-related expenses or lost revenue due to the cancelation of non-essential elective procedures. The first round of this funding of $30 billion occurred on April 10. Distributions were determined by dividing recipients’ 2019 Medicare FFS payments by $484 billion which is the total fee-for-service (FFS) payments made in 2019. Some of the stipulations of accepting this funding include:

  • Funds are not intended to be a loan or required to be paid back unless money is not used for stipulated purposes outlined in the Terms and Conditions letter.
  • The recipient should expect audits of how the funds are utilized as outlined in the accountability terms.
  • Providers must agree not to seek collection of out-of-pocket payments from COVID-19 patients that would be greater than what would have been expected if care was provided by in-network providers.
  • The recipient certifies it billed Medicare in 2019 and is providing diagnoses, testing or care to possible or actual COVID-19 cases. The recipient also certifies payments will only be used to prevent, prepare for and respond to coronavirus, and will reimburse the recipient only for healthcare-related expenses or lost revenues that are attributable to COVID-19.
  • The recipient certifies payment will not be used to reimburse expenses or losses that have been reimbursed from other sources.
  • The recipient is not currently terminated from participation in Medicare.
  • The recipient is not currently excluded from participation in Medicare, Medicaid and other federal healthcare programs.
  • The recipient does not currently have Medicare billing privileges revoked.

The healthcare organization will need to provide accountability for the use of these funds to ensure compliance with the conditions imposed on the payment. Any organization receiving more than $150,000 will need to submit to HHS and the Pandemic Response Accountability Committee a report which will outline and document how these funds were utilized.

Guidance for the relief funds states that these funds should not be used to cover expenses covered by other funding programs. An adequate audit trail must be developed. Healthcare organizations should do the following to account for COVID-19 funding and how these funds are utilized:

  • Set up separate general ledger codes for each funding program.
  • Identify separate cost centers for direct COVID-19 expenses.
  • Identify appropriate allocation methodology to distribute indirect departmental expenses to COVID-19 accounts.
  • Develop a methodology to identify lost revenue as a result of COVID-19, including:
    • Account for known cancelations of elective procedures or visits.
    • Determine revenue based on decreased admissions.
    • Look at year over year revenue decrease.
    • Understand any trends in recent revenue to determine if there was an increase or decrease that was occurring before COVID-19.

Regarding the additional $70 billion CARES Act available funding, healthcare organizations should expect a second round of funding to occur utilizing an allocation methodology based on the Medicaid population. Part of the $70 billion will be distributed to assist with reimbursement for uninsured patients.

This funding aims to provide the U.S. healthcare system with maximum flexibility and lessen administrative burdens to allow beneficiaries to receive medically necessary services effectively and efficiently. With the “relaxed” regulations and determination to provide healthcare organizations funding as soon as possible, providers will need to take steps to develop a complete audit trail of increased expenses, lost revenues, how funds were used, and how coding and claims were handled to avoid claim denials and audit findings resulting in possible repayment of funds due to inappropriate use of funds according to the guidelines of each program.

Critical Role of Compliance

Healthcare organizations need to make compliance a priority given the evolving regulatory framework and funding requirements described above. The actions of healthcare organizations are less likely to be analyzed during the PHE, but it is certain they will be scrutinized by regulatory and enforcement agencies as well as whistleblowers when the dust settles. Compliance departments should communicate to personnel at all levels within the organization that compliance and ethics are as important now as ever. Compliance departments must respond fully and promptly to any compliance concerns and monitor the evolving regulatory landscape during and after the PHE. An organization’s compliance culture, processes, and actions today will provide a valuable foundation and important context in any future government investigation or audit.

Government Enforcement Risk

The government has already initiated enforcement actions and reviews to prevent potential fraud, waste or abuse of resources related to the COVID-19 response, as well as protect vulnerable patient populations. It is safe to bet that such anti-fraud efforts will continue. The government’s response will involve criminal, civil and administrative enforcement activity, including the use of the federal False Claims Act (FCA) (and the potential for treble damages and civil monetary penalties) where companies or individuals submit or cause the submission of false claims for federal reimbursement. We will likely see a wave of COVID-19-related enforcement actions, including FCA suits filed by employees, contractors, market competitors, and other potential whistleblowers in the wake of this pandemic. Providers will also be subject to audits by the HHS Office of Inspector General (OIG) related to the use of federal funds earmarked for COVID-19 relief.

As healthcare industry stakeholders seek to avail themselves of various federal options for reimbursement, accuracy in requests, attestations or certifications required for reimbursement remains paramount. Applicants for CARES Act relief must certify or attest to certain facts relevant to their eligibility to participate in the CARES Act’s various programs. False certifications or attestations potentially expose an applicant to liability under the FCA. Therefore, impacted individuals and entities must take reasonable steps to ensure the accuracy of information and certifications contained in any applications for federal aid. For example, the $350 billion Paycheck Protection Program (PPP) application expressly notes that provision of false information, certifications or attestations in connection with the application can subject the applicant to criminal liability. Similarly, as discussed above, providers who accept money under the $100 billion Public Health and Social Services Emergency Fund must agree to certain terms and conditions. Providers not willing or able to agree to the terms and conditions must return the payment in full to HHS within 30 days of receipt. Noncompliance with any of the terms or conditions may lead to the recoupment of funds.

Assessing internal complaints and audits should continue simultaneously with COVID-19 response efforts at a reasonable pace. The 60-day deadline to report and return identified Medicare or Medicaid overpayments has not (yet) been suspended in any COVID-19 guidance. Providers must continue to investigate possible overpayments to avoid FCA liability for failure to return an overpayment promptly.

COVID-19-Related Enforcement Actions

The Department of Justice (DOJ) has committed to combatting fraud related to the COVID-19 crisis. DOJ directed all U.S. Attorneys to prioritize the detection, investigation, and prosecution of illegal conduct related to the COVID-19 pandemic, including through the appointment of a Coronavirus Fraud Coordinator to serve as legal counsel on coronavirus-related matters, manage the prosecution of coronavirus-related crimes, and conduct outreach. In a sign of things to come from states, Nevada’s U.S. Attorney and Attorney General created the Nevada COVID-19 Task Force with input from 15 state and federal agencies designed to protect Nevadans from exploitation and fraud during the pandemic.

DOJ’s initial enforcement actions involving COVID-19 addressed peddling of fraudulent COVID-19 vaccines, medication, personal protective equipment (PPE), and diagnostic testing. On March 22, DOJ filed its first COVID-19-related complaint against John Doe, a/k/a “,” for allegedly engaging in and facilitating a predatory wire fraud scheme exploiting the current COVID-19 pandemic by claiming to ship fraudulent World Health Organization vaccine kits for only the cost of shipping. On March 30, DOJ charged a Georgia man with conspiring to commit healthcare fraud and violate the federal Anti-Kickback Statute by soliciting and receiving kickback payments on a per-test basis from clinical and diagnostic testing companies for steering to those companies Medicare patients for COVID-19 testing. The Federal Bureau of Investigation (FBI), HHS OIG, Department of Defense Office of Inspector General, and the Department of Veterans Affairs Office of Inspector General joined the investigation of this matter. On April 9, DOJ, the Environmental Protection Agency (EPA) Criminal Investigation Division, U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (HSI), and the U.S. Postal Inspection Service combined forces in a criminal action against a Georgia woman for allegedly importing and selling an unregistered pesticide, Toamit Virus Shut Out, that falsely purported to provide protection against COVID-19. On April 10, DOJ charged a Georgia man with wire fraud for attempting to sell 125 million nonexistent respirator masks and other PPE totaling $750 million to the Department of Veterans Affairs in exchange for substantial advance payments.

Beyond these traditional fraud enforcement actions, DOJ and the Centers for Medicare and Medicaid (CMS) have each initiated reviews of nursing homes where COVID-19 spread to susceptible patient populations. On March 23 and April 1, CMS announced the results of several complaint surveys of the Life Care Center nursing home in Kirkland, Washington, which is believed to be the epicenter of the COVID-19 outbreak in Washington state. Based on CMS’s surveys and cited deficiencies – including the failure to report the outbreak of respiratory illness to local authorities within the time required by law, inadequate care of residents during the outbreak, and failure to provide 24-hour emergency doctor services – the agency imposed a $611,000 fine. Although Life Care Center resolved three immediate jeopardy-level deficiencies, CMS notified the Life Care Center that it would be terminated from participation in federal healthcare programs if the remaining deficiencies were not corrected by September 16. On April 10, DOJ’s Civil Rights Division and the U.S. Attorney’s Office for the District of Massachusetts opened an investigation into Soldiers’ Home to determine whether the nursing home violated its residents’ rights generally and during the COVID-19 pandemic by failing to provide sufficient medical care to prevent the spread of COVID-19 among veteran patients and staff, leading to at least 44 resident deaths.

The government is pursuing these enforcement actions and agency surveys amid the COVID-19 pandemic despite a simultaneous shift by regulators to allow flexibility for healthcare organizations to respond to the crisis. Enforcement actions and reviews after the resolution of the COVID-19 PHE will only increase in scope and intensity while also being backed by additional resources.


While decisions made by companies seeking CARES Act or similar relief may not be dissected today, we are likely to see a groundswell of COVID-19-related criminal, civil and administrative enforcement actions in the coming months and years from multiple government agencies and new oversight bodies created under the CARES Act. The urgent need for relief does not eliminate the importance of compliance or the likelihood of significant regulatory oversight in the future.

Impacted individuals and healthcare organizations should:

  • Assess their compliance programs for effectiveness and identify new risk areas.
  • Understand and comply with all federal, state and local orders applicable to their business.
  • Confirm the accuracy of certifications on applications for federal funding.
  • Review and adhere to the terms of federal funding agreements and applicable laws.
  • Establish a plan for tracking of expenditures from federal funding for approved purposes.
  • Continue to analyze the measures taken in response to COVID-19 due to shifting regulatory flexibilities.
  • Ensure they comply with all CMS requirements, particularly regarding infection control, life safety, and emergency preparedness.
  • Fully document services and items provided in response to the COVID-19 pandemic in accordance with the funding requirements of various CARES Act relief programs to justify the payment.

If you have any questions about compliance risks related to the receipt of CARES Act funds, please contact the authors directly.

For more information on this topic, we invite you to join us next Friday, April 24 at 2:00 PM EDT for a webinar where the authors will provide additional details about CARES Act funding and enforcement. CLICK HERE to register.