Health Care Compliance: Tips For A Corporate Body Self-Exam

July 14, 2016 | Compliance, Investigations & White Collar | Health Services

Given the proliferation of health care regulations and white-hot spotlight of government enforcement efforts, it is becoming increasingly important for all health care organizations, ranging from small physician practice groups to large regional or national health systems, to attain a heightened level of self­awareness concerning areas in which they could be vulnerable to allegations of fraud and abuse.

That type of self-awareness can only be achieved through an unsparing examination of every wart and blemish on the corporate body from a
compliance perspective. Corporate compliance programs certainly help in that regard, but only if they are well-constructed and aggressively implemented, and not merely false security blankets under which health care organizations are able to avoid genuine self-examination.

Having a bona fide compliance program in which risks are continually assessed and reporting mechanisms exist for employees and others to raise compliance issues is of course an important first step along the organization’s journey of self-awareness.

  • Does your compliance program have a system for identifying risks specific to your provider type?
  • Does your compliance program have a system for employees to report, on a confidential (and, if desired, anonymous) basis, compliance problems or concerns?
  • Does your compliance program have a system for investigating and responding to instances of noncompliance?

These are just some of the questions an organization must ask itself in evaluating, even at the most basic level, its background risk of harboring undisclosed fraud and abuse violations.

Health care organizations, however, can and should take a deeper dive into the pool of potential risks by asking hard questions that go to the very heart of some of the most common fraud and abuse concerns of government regulators. The Anti-Kickback Statute (AKS), Stark Self-Referral Law, False Claims Act, and Health Insurance Portability and Accountability Act privacy rule are the principal fraud and abuse laws that keep health care compliance officers up at night. Each of these laws targets a particular type of behavior, the risk of which can be measured by asking the right questions.

For example, the AKS criminalizes behavior involving the payment or solicitation of money or other remuneration to induce the referral of patients for the furnishing of any item or service reimbursable by a federal health care program. Violators face up to five years’ imprisonment plus mandatory exclusion from federal health care programs. In addition, a violation of the AKS will also be deemed a violation of the FCA. Are you at risk for such violations? Well, it depends on how you do business as a health care organization.

  • Do you maintain referral relationships with other providers?
  • Do you for any reason give or receive money or anything else of value to or from other providers with whom you have referral relationships?
  • And if you do, is that exchange of value made as part of a separate business relationship that is protected against prosecution by one of the statute’s safe harbors?
  • Or is the subject transaction unprotected and marked by the payment of remuneration that fluctuates with the volume or value of patient referrals?

These are but a few of the questions that any organization serious about understanding compliance risk needs to ask.

Stark is another statute that is concerned with patient referrals, but unlike the AKS, Stark is a civil statute, violation of which is based on what is known as a strict liability standard that does not depend on the violator’s knowledge or intent. Stark violations potentially carry severe penalties and, like the AKS, can serve as the basis for False Claims Act liability. Stark prohibits physicians from referring patients to third-party individuals or entities, with which the referring provider has a prohibited financial relationship, for any designated health service[1] reimbursable by Medicare. A health care organization’s risk of violating Stark is largely a function of the relationships it keeps.

  • As an initial matter, do the physicians within your organization refer patients to third parties for any designated health services?
  • If so, does any type of financial relationship exist between those physicians and the third parties to whom they are referring patients?
  • If a financial relationship exists, does it fall within a recognized exception under the statute permitting the referral relationship to continue?

These issues must be fully understood and, if problems exist, they must be promptly addressed to mitigate the risk of liability.

The FCA is one of the most powerful tools in the government’s arsenal when it comes to health care fraud enforcement. Violators face the prospect of treble damages, civil monetary penalties for each false claim, and potential exclusion from federal health care programs. Analyzing your risk profile for FCA violations, as with the other statutes discussed, requires asking the right questions concerning how your organization operates. Virtually all provider organizations, to one degree or another, submit claims to federal health care programs, either themselves or through a third-party billing company, so the ingredients are already there for potential FCA liability if that process lacks integrity or proper oversight.

  • Are the people responsible for your billing operations certified and knowledgeable in coding and documentation requirements?
  • If you utilize a third-party biller, is that vendor paid a flat fee or a percentage of collections that might incentivize miscoding to enhance revenues?
  • Do you periodically audit your coding and billing practices?
  • Are you familiar with the regulations, including local and national coverage determinations, governing your entitlement to payment?
  • Do you have a process for identifying and timely repaying any overpayments?

These are just some of the questions that must be answered to be successful in identifying FCA risk.

HIPAA is another area drawing increased attention from regulators, as the number of HIPAA breach investigations and audits of covered entities and business associates by the U.S. Department of Health and Human Services, Office of Civil Rights proliferates. Violations of the HIPAA privacy rule carry tiered civil monetary penalties that vary with the severity of the misconduct and, in egregious cases, can result in criminal prosecution. Self-awareness concerning HIPAA risk begins with a willingness to ask the hard questions about how HIPAA’s requirements are implemented at your organization.

  • Beyond adopting appropriate HIPAA policies, entering into business associate agreements with vendors and appointing individuals with responsibility for HIPAA privacy and security protocols within your organization, do you as an organization fully understand HIPAA’s definition of protected health information (PHI)?
  • Do you know how to de-identify PHI so that it may be communicated or disposed of safely?
  • Do you utilize encryption software on all your computers and mobile devices?
  • Do you rigorously enforce the HIPAA policies and procedures that you have?

Again, true self-awareness starts with critical self-examination and an honest appraisal of how your actual business operations stack up against regulatory requirements.

In this age of increased health care fraud enforcement and regulatory scrutiny, it behooves all health care organizations to move beyond the cliche of “compliance” in order to achieve actual compliance by engaging in critical self-analysis designed to identify areas of genuine risk under the principal fraud and abuse laws governing the industry. Organizations cannot afford to be satisfied with what could be false security provided by off-the-shelf compliance programs that, depending on how they are operationalized, may not identify serious compliance risks as effectively as a targeted self-exam tailored to the risk at issue.

[1] Designated health services are defined to include clinical laboratory services; physical therapy, occupational therapy, and outpatient speech-language pathology services; radiology and certain other imaging services; radiation therapy services and supplies; durable medical equipment and supplies; parenteral and enteral nutrients, equipment, and supplies; prosthetics, orthotics, and prosthetic devices and supplies; home health services; outpatient prescription drugs or inpatient and outpatient hospital services.

Reprinted with permission from Law 360. All rights reserved.

Share this article:

Related Publications


Get legal updates and news delivered to your inbox