Money from the Coronavirus Aid, Relief, and Economic Security (CARES) Act Provider Relief Fund comes with extensive requirements for compliance and reporting. The funds are intended to offset losses from COVID-19.

  • Providers who received more than $10,000 in Provider Relief Funds remain subject to reporting requirements and HHS.
  • Organizations receiving the funds should employ a grant or compliance manager to oversee the expenditures.
  • Entities that received more than $750,000 in Provider Relief Fund payments are subject to audit requirements.

Healthcare organizations that received funding from the Coronavirus Aid, Relief, and Economic Security (CARES) Act Provider Relief Fund, intended to reimburse eligible providers for healthcare-related expenses or lost revenue stemming from the COVID-19 pandemic, must use a strong compliance program to avoid severe penalties. Risk managers and compliance officers should act now to ensure compliance programs are consistent with the latest guidelines from the Department of Health and Human Services (HHS).

HHS has issued guidance indicating recipients who receive at least one payment of $10,000 or more must comply with reporting system requirements when it opens in early 2021. (For details on the HHS guidance, visit: https://www.hhs.gov/coronavirus/cares-act-provider-relief-fund/for-providers/index.html. See the story in this issue for a summary of the guidance.)

Risk managers and compliance officers should work closely with legal counsel to understand the guidance and requirements, says Michael Buchanio, senior principal with West Monroe, a business and technology consulting firm in Chicago. Focus on how HHS defines certain terms and conditions, and understand the deadlines, he says.

“Once you have a good understanding of the requirements, you can start developing robust policies and procedures,” he notes. “Look for things like how your actions might affect any potential loan forgiveness, and what your document retention policies should be. Develop a plan to collect documents that will show you followed specific protocols.”

Buchanio notes that, unlike some government funding, HHS sent Provider Relief Funds to healthcare organizations without first requiring an application. That does not make compliance any less important, he says. By cashing the check, the organization is accepting the terms required by the government.

“You can’t always say you didn’t know about some requirement, especially when there is this much guidance available. You are already knowingly culpable if there is guidance and you are accepting the money,” Buchanio stresses. “Because you are taking the funds through Medicare, you could be jeopardizing your Medicare participation if you are not in compliance.”

In addition, HHS notes in the guidance that any deliberate omission could be punishable by criminal penalties, forfeiture of funds, and civil liability, he notes.

Buchanio points to the aftereffects of the Troubled Asset Relief Program (TARP), which purchased toxic assets and equity from financial institutions to strengthen the economy in 2008. There were about 350 criminal convictions for fraudulently accepting money from TARP, he says. About $10 billion was recovered from recipients who obtained the funds fraudulently.

“Some of the larger organizations that already had a robust compliance program in place probably have responded well to this requirement, but that may not be the case for the smaller organizations that probably really needed the money and are strapped for cash. They may have made hiring cutbacks or let people go, so they may not have that strong compliance team in place,” he explains. “They’re asking people to wear many hats. If that’s the case, some of these compliance requirements could slip through the cracks.”

The changing nature of the conditions and guidance is troubling for some recipients, says Mark J. Silberman, JD, chair of the white collar, government investigations, and regulatory compliance practice group with Benesch in Chicago. Unlike most funding programs in which the requirements are laid out from the start and change little over time, the rules for the Provider Relief Fund have been changing with each guidance update, he notes.

“You may have gone from being terrified that your hospital was going to go under just when the community needed you the most, but things changed, and you didn’t get the rush you expected. Or you used the money in a way that was OK back then, but now it turns out that isn’t OK,” Silberman says. “You didn’t return the money, so now you fear they’re going to treat those as false claims, treble the damages, and put you out of business.”

Silberman hopes government regulators have some sympathy for healthcare entities that tried to do the right thing, even if they come up short, and treat them differently from organizations that made no effort to comply.

“With that much government money going out, there is no doubt there are some people and organizations who took advantage,” he says. “What I really hope is that the government focuses its attention on people who tried to game the system and evaluate the people who tried but came up short in a different way. Some of this is as clear as mud, so there should be some discretion.”

Most assessments will rely on documentation, Silberman says. If an organization documents its efforts well, the government should see they made a good faith effort despite any shortcomings, he says.

In particular, Silberman says, be sure to document the decisions made at the times in which they were made. For instance, spending a lot of money on preparations for COVID-19 in March 2020 looks different than spending the same amount in September 2020 when the community was already deep into the pandemic response and past Phase I, he says.

“The rules and the government’s expectations have been changing throughout. If there is any weakness in your documentation because expectations have changed, you should be able to show why you did something at a certain point,” Silberman explains. “If you have to add documentation that is not contemporaneous to explain that, make it clear you are adding that documentation after the fact because the government standard changed.”

The requirements are consistent with HHS’ recent efforts to investigate where government funds are actually used, says Maria D. Garcia, JD, partner with Kozyak Tropin & Throckmorton in Miami. Providers must give detailed explanations of lost revenue from COVID-19 and where the Provider Relief Funds are used to cover those losses.

“They’re asking providers to give detailed data on general and administrative expenses. The second major category is healthcare-related operating expenses,” she explains. “Providers have to pay attention to how those funds are used and be prepared to give a detailed accounting. The regulators really want to see how the money was used and that it was used for the appropriate reasons.”

It may be too late now, but Garcia says the Provider Relief Fund is a good example of how healthcare organizations should consider whether they can safely comply with the requirements before accepting any government largesse. Smaller organizations may be the most in need of such emergency funding, but they might be the least capable of meeting all the compliance requirements. Taking the money while unsure of compliance sets up the organization for big penalties down the road, she says.

“Compliance is at the top of the mind of the federal government. It really is the issue of the day,” Garcia notes. “With this funding and other money provided in response to COVID, there is a lot of pressure for the government to detect fraud. Accepting funds like this without consideration of what will be required of you, and whether you really can accomplish that, is very risky.”

Attestations Bring Obligations

As with any federal funds, there is a fiduciary responsibility of the distributor to ensure the funds were used in the proper manner, says Anna Stevens, CPA, CHFP, partner-in-charge of healthcare services in the Houston office of Weaver.

To ensure compliance, HHS has required audits for recipients who meet certain thresholds, such as expenditures of federal awards in a single fiscal year greater than $750,000, Stevens says. Noncompliance with the terms and conditions associated with these funds could require recipients to return all or a portion of the funds.

One of the most common pitfalls is lack of documentation, says Rebecca Goldstein, CPA, an accountant in partner assurance services in Weaver’s Austin, TX, office.

Lack of established policies and procedures can result in internal control deficiencies and poor segregation of duties, Goldstein says. This often is amplified when there is decentralization throughout the organization or lack of management oversight as it relates to the grant.

“Having someone leading the charge who is familiar with the reporting and compliance requirement can help alleviate some of these traps,” Goldstein says. (See the story in this issue for elements of a good compliance program.)

Could Trigger False Claims Act

Compliance always is important when government money is at stake. The Provider Relief Fund is no different, says Jonathan H. Ferry, JD, partner with Bradley in Charlotte, NC.

Providers receiving $500,000 or more are required to report expense data with great specificity. The reporting requirements provide the specific categories of expenses such providers are required to report, Ferry says. Typical of government funding programs, the CARES Act Provider Relief Fund includes multiple attestations and representations providers made or were deemed to have made to keep the money. Failure to accurately report in accordance with the guidance could be deemed a breach of those attestations and representations, Ferry says.

“Inaccuracies in any report to the government can trigger serious consequences — administrative, civil, or even criminal. The main difference between the three is state of mind,” Ferry explains. “A true mistake might be dealt with administratively, but if the mistake is blatant and unjustified, it might rise to the level of recklessness that triggers civil liability under the False Claims Act [FCA].”

Violation of the FCA requires a provider to pay the government three times the amount of the damage the false statement caused, plus additional penalties, Ferry notes. In addition, if an entity knowingly submits untrue data to a company, it may be looking at a criminal investigation of itself and its agents.

Healthcare compliance professionals will be familiar with the “seven elements” of a compliance program detailed in HHS Office of Inspector General guidance, Ferry says, but that is only a baseline. The Department of Justice recently published additional guidance on corporate compliance programs. Ferry notes these points are relevant to Provider Relief Fund compliance:

  • Is the program well designed?
  • Is the program adequately resourced?
  • Does the program work in practice?

The first and third are relevant for the Provider Relief Fund, Ferry says. A company cannot rely on its old compliance program to ensure compliance with Provider Relief Funds.

“It must redesign elements of it to ensure business lines are properly tracking and accounting for the funds. It also must confirm that the system is working in practice for these new funds,” Ferry says. “The government expects company compliance programs to be nimble and adjust to new realities and risks. Enforcement authorities won’t give an organization a pass simply because Provider Relief Funds are new and subject to different requirements the company may not have seen before.”

There are numerous pitfalls, Ferry says, the first of which is the regulations themselves. They change frequently and with little notice. Every few days, HHS releases new guidance on how to handle Provider Relief Fund money. The reporting requirements issued on Sept. 19 were amended in significant ways on Oct. 22, Ferry notes. Further changes are expected.

“FAQs drop daily from HHS that can drastically affect how providers can use these funds. Stay up to date. Don’t assume you know the latest just because you checked last week,” Ferry says. “With regard to the reporting requirements and compliance, pay close attention to other money the organization may have received due to the pandemic. HHS has made it clear they are keenly interested in whether Provider Relief Fund money is being used to cover expenses or losses that in some way were already covered by other sources of funds.”

A compliance officer should be plugged in to parts of the organization that may have received money, Ferry says. Were insurance payments received? Did the company also receive Paycheck Protection Program funds? There were many other government agencies providing funds to healthcare providers.

“Compliance needs to know where it all went so that the entity does not double-dip on government funds,” Ferry says.

Compliance is essential, not optional, says Edgar C. Morrison, Jr., JD, partner with Jackson Walker in San Antonio. The attestations that healthcare organizations signed when accepting the funds create legal obligations, and providers must take that obligation seriously, he says.

Providers should use their existing financial accounting systems to report their use of Provider Relief Fund payments using their normal method of accounting (cash or accrual basis), Morrison says. He explains providers will have to report Provider Relief Fund expenditures this way:

  • Recipients who have expended funds in full prior to Dec. 31, 2020, may submit a single final report at any time during the window that began Oct. 1, 2020, but no later than Feb. 15, 2021.
  • Recipients with funds unexpended after Dec. 31 must submit a second and final report no later than July 31, 2021.

“The most obvious pitfall is late reporting or failure to report. The second is simply financial records that are not detailed enough, or are internally inconsistent,” Morrison says. “The Provider Relief Fund definitions are broad and generous enough that most providers should have no trouble reporting in compliance with the law. Those who ignore or pay scant attention to the reporting requirements, however, risk investigations by the HHS Inspector General, and potential refunds of amounts received.”


  • Michael Buchanio, Senior Principal, West Monroe, Chicago. Phone: (800) 828-6708.
  • Jonathan H. Ferry, JD, Partner, Bradley, Charlotte, NC. Phone: (704) 338-6011. Email: jferry@bradley.com.
  • Maria D. Garcia, JD, Partner, Kozyak Tropin & Throckmorton, Miami. Phone: (305) 728-2929. Email: mgarcia@kttlaw.com.
  • Rebecca Goldstein, CPA, Partner Assurance Services, Weaver, Austin, TX. Phone: (512) 609-1900.
  • Edgar C. Morrison, Jr., JD, Partner, Jackson Walker, San Antonio. Phone: (210) 978-7780. Email: jmorrison@jw.com.
  • Mark J. Silberman, JD, Benesch, Chicago. Phone: (312) 212-4952. Email: msilberman@beneschlaw.com.
  • Anna Stevens, Partner-in-Charge, Health Care Services, Weaver, Houston. Phone: (713) 850-8787.