The regulatory environment confronting U.S. healthcare organizations has never been more challenging or in flux. The government, at both the state and federal levels, has billions of dollars at stake and takes its stewardship of that significant investment seriously. As a result, the healthcare industry faces constant scrutiny and the threat of government actions, ranging from fines and sanctions to exclusions and even civil and criminal prosecutions. And this scrutiny is on the rise.
Consider these recent figures from the U.S. Department of Health & Human Services’ Office of Inspector General (HHS-OIG): The agency reported that in 2019 it expected to recover more than $5.04 billion, conduct 809 criminal actions and 695 civil actions, and enforce the exclusions of some 2,640 individuals and entities from participation in federal healthcare programs.
The exclusions alone could sound the death knell for most healthcare organizations.
The bottom line is healthcare administrators are responsible for the ongoing survival of their organizations in one of the most tightly regulated industries in the nation. They must ensure compliance with countless policies, laws and regulations from a myriad of agencies and departments. Noncompliance is expensive and can be lethal to organizations, even those that might have made just a handful of seemingly minor, but careless, errors. The potential cost to healthcare organizations can be so severe that they must be ever vigilant in creating and maintaining a compliance program that’s robust, responsive and effective.
Two important tools in this arena are (1) diligent assessments of compliance risk and (2) a strong auditing and investigations program.
Compliance Risk Assessment
Every healthcare organization has its strengths and weaknesses in terms of compliance exposure. The first step to safeguarding your entity is to make an honest assessment of the current compliance capabilities and vulnerabilities. Either internal audit and compliance resources or an independent third party should assess the organization’s current standards, processes and know-how to identify and implement meaningful improvements.
Our recommendation is to approach the compliance risk assessment as a comprehensive four-phase process with the goal of identifying a risk-based and in-depth, highly focused compliance program.
The first phase in this process is identifying the applicable risk universe that is specific to the organization and provider type and that addresses hot topics across the healthcare industry. Inputs used to build the risk universe should include OIG work plans, corporate integrity agreements (CIAs), settlement and enforcement trends and publications, healthcare compliance thought leadership, industry best practices, any existing risk assessment programs, and other tools and resources. The risks to be evaluated should include insights from the chief compliance officer as well as other compliance officials, such as the privacy officer, security officer, members of the internal audit function, and leaders of other risk management functions.
The second phase in the process is gathering input from across the organization through a risk assessment survey to assist in narrowing down the risk universe to high-risk areas specific to the organization. The survey should be deployed to all appropriate parties in the organization, including clinical, administrative, operational and financial personnel, particularly those in high-risk areas.
After the survey results are tabulated and analyzed, the organization can begin the third phase in the risk assessment process: conducting interviews. Precisely targeted and tightly focused, the interviews should be conducted with top management, audit committee and other board members, work groups from select business units, and other key players and involved parties. In addition to scoping out potential threats, the interviews can be used to probe leadership’s understanding of higher-level risks, as revealed in the results of the survey.
After these three phases are completed, the organization should have a clearer picture of the risk landscape, at which point it enters the fourth phase: risk prioritization and audit work plan development. In this phase, compliance leaders create a heat map of the highest-ranked risk areas to discuss with executive management to develop a proposed compliance and audit work plan for addressing those ranked threats, and a description of the work to be undertaken.
We assisted a healthcare organization with conducting a comprehensive compliance and internal audit risk assessment. During the process, we helped our client identify and prioritize their top 25 risks. These included cybersecurity and information security program effectiveness, nursing and clinical services, privacy and security of personal and sensitive information, meeting medical necessity criteria, case and medical management, utilization review and loss, electronic health records, and physician relationships, among others.
Each of these was an area of exposure that could have resulted in regulatory actions and penalties. We were able to assist our client’s organization in proactively implementing new standards, policies and procedures, including improved training, communications and enforcement guidance, to mitigate those risks. In addition, we collaborated with the internal audit group to audit 15 of the high-risk areas, and the compliance function began monitoring eight additional areas.
Audits and Investigations
Of course, compliance risk assessments are only one part of the overall equation. Healthcare organizations also must get ahead of threats by spearheading audits and investigations that can reduce exposure or quickly and effectively address shortcomings or challenges.
These audits and investigations might be in response to a CIA, other governmental action or threats discerned from a compliance risk assessment, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), privacy and breach notifications, Office for Civil Rights (OCR) audits, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), credit balance and governmental overpayments, the Stark law and the Anti-Kickback Statute, 501(r), government program audits, or any number of other areas of possible compliance failure or perceived vulnerability. This response might also be taken under the direction of, or on the request of, the organization’s internal or external legal counsel.
As part of any audit or investigation, the organization should begin with a structured planning process involving the creation of a leadership team, scope refinement and development of a work program. This planning process sets the stage for on-point fieldwork, detailed reporting of results, and ongoing monitoring to ensure that approved recommendations are implemented according to corrective action plans and assigned individuals complete those plans by agreed-upon target dates. In addition, it goes without saying, communication throughout the process is critical.
Successful Risk Reduction
Think of the government as your largest and most valuable customer — and by far your most demanding one.
By taking immediate and proactive actions to assess the organization’s degree of compliance risk exposure, and by auditing and addressing existing threats and implementing effective solutions, healthcare organizations can greatly reduce the threat of expensive fines and sanctions or even more costly exclusions and prosecutions. These steps will help safeguard the organization’s reputation and bottom line, and protect the interests of stakeholders. In addition, these activities will contribute to a regulator determining that an effective compliance program is in place and therefore should prove valuable during the penalty or sanctioning phase of a noncompliance event.
About Our Healthcare Compliance Services
We help healthcare provider organizations evolve their compliance departments to avoid legal and regulatory setbacks by providing scalable assistance, when and where needed. We also act as a qualified third party to assist compliance officers with the necessary review and support to increase the effectiveness of their compliance efforts. Our services include, but are not limited to:
- Compliance program design and implementation
- Compliance risk assessments
- Compliance program interim management and staffing
- Training assistance, including board education
- Compliance program effectiveness assessments
- Physician contracts and contract implementation reviews
- HIPAA privacy and security gap assessments
- Security risk analyses
- Coding and clinical documentation reviews
- Policy and procedure development
- Billing audits — physician and facility
- Departmental operations audits
- Clinical research program reviews
- CoP gap assessments
- CIA/CCA response assistance
- Revenue cycle compliance
- HIPAA investigations/OCR response assistance