Five Essential Questions To Mitigate Corporate Compliance Risk

In an increasingly intense and unforgiving regulatory environment, all healthcare organizations — from small physician practice groups to large health systems — must closely scrutinize areas where they may be vulnerable to fraud and abuse allegations. Corporate compliance programs are useful in this effort, but only if they are well-constructed and aggressively implemented, not merely false security blankets under which healthcare organizations can avoid genuine self-examination.

If your organization is due for a compliance assessment, the following five questions will help you get to the heart of some of the most common fraud and abuse concerns of government regulators.

Do you have any reason to give or receive money — or anything else of value — from other providers with whom you have referral relationships?  

The Anti-Kickback Statute (AKS) criminalizes behavior involving the payment or solicitation of payment to induce patient referral for items or services reimbursable by a federal healthcare program. Violators face up to five years in prison plus mandatory exclusion from federal healthcare programs. If you do exchange money with providers involved in a referral relationship, that exchange could be insulated from prosecution under an AKS safe harbor that protects certain approved business relationships. If not, the transaction must be analyzed carefully to determine whether it presents a significant risk of violating the AKS.

Do physicians within your organization refer patients to third parties with which they have a financial relationship for designated health services?

The Stark Law prohibits a physician from referring patients to third parties for designated health services reimbursable by Medicare if the referring physician has a prohibited financial relationship with the third party. “Designated health services” include clinical laboratory services, radiology/imaging services, durable medical equipment and inpatient/outpatient hospital services.1 Like the AKS, Stark is concerned with patient referrals, but violations of Stark — a civil statute — is based on a strict liability standard, which does not depend on the violator’s knowledge or intent. Stark violations potentially carry severe penalties and, like the AKS, can serve as the basis for False Claims Act (FCA) liability. A healthcare organization’s risk of violating Stark is largely a function of the relationships it keeps. The nature of these relationships must be fully understood, and if problems exist, they must be promptly addressed to mitigate the risk of liability.

Are you familiar with the regulations governing your entitlement to payment from federal healthcare programs?

When it comes to healthcare fraud enforcement, the FCA is one of the most powerful tools in the government’s arsenal. Violators face treble damages and civil monetary penalties for each false claim, as well as potential exclusion from federal healthcare programs. Virtually all provider organizations submit claims to federal healthcare programs, either themselves or through a third-party billing company, so the ingredients are already there for potential FCA liability if that process lacks integrity or proper oversight. Understanding the regulations governing your entitlement to payment is key to avoiding FCA liability. Consider the recent case of Universal Health Services vs. Escobar et al. To safeguard against FCA risk:

• Ensure that your practice’s billing operations staff members are certified and knowledgeable in coding and documentation requirements
• Periodically audit your coding and billing practices to safeguard against improper claim submissions
• Implement a process to identify and promptly repay any overpayments received from federal healthcare programs

Does your organization fully understand HIPAA’s definition of protected health information (PHI)? Do you know how to de-identify PHI so it may be communicated or disposed of safely?

HIPAA is another area that draws increased attention from regulators, as there is an increasing number of HIPAA breach investigations and audits by the Department of Health and Human Services. HIPAA violations carry tiered civil monetary penalties that vary with the severity of the misconduct and, in egregious cases, can result in criminal prosecution. Self-awareness concerning HIPAA risk begins with a willingness to ask the hard questions about how HIPAA’s requirements are understood and implemented at your organization. Effective compliance requires diligent implementation of HIPAA privacy and security protocols within your organization. At an even more basic level, compliance requires a true appreciation for what constitutes PHI and, further, how such information may be de-identified or encrypted so that any disclosure, whether deliberate or accidental, will not be considered a breach under the statute.

Are you willing to take a close look at your organization and evaluate your true compliance risk?

All healthcare organizations need to engage in critical self-analysis that identifies areas of genuine risk under the principal fraud and abuse laws governing the industry. Organizations can’t afford to be satisfied with what could be false security provided by off-the-shelf compliance programs that, depending on how they are operationalized, may not identify serious compliance risks as effectively as a targeted self-exam. Only an unsparing examination of compliance weaknesses within your organization, tailored to the specific industry environment in which the organization operates, will mitigate such risks. If your current compliance procedures are not up to the task, make them more rigorous. Doing so may keep your organization safe from governmental enforcement efforts.

Note:

1. Other types of designated health services include physical therapy, occupational therapy and outpatient speech-language pathology services; radiation therapy services and supplies; durable medical equipment and supplies; parenteral and enteral nutrients, equipment and supplies; prosthetics, orthotics and prosthetic devices and supplies; home health services; and outpatient prescription drugs.

© 2016 MGMA. All Rights Reserved.  Reprinted with permission from MGMA, 104 Inverness Terrace, East, Englewood, Colorado  80112.