In This Issue:
- Federal Healthcare Policy Update – The Future of Drug Pricing and Proposed Healthcare Overhaul
- Are Long-Term Care Facilities Ready to Have an Effective Compliance Program?
- HITECH Updates to HIPAA Violation Monetary Fines
- Internal Audit – Keeping Pace with Technological Advances and Digital Disruption
- Analytics and Automation – Continuous Monitoring
- Opioid Crisis Response
- DOJ Issues Updated Corporate Compliance Program Guidance
- Compliance – Keeping Your Organization Compliant with Telehealth Billing and Coding Requirements
While the multiyear legal battle against the Affordable Care Act (ACA) continues to rage on, healthcare policy focus has changed course and homed in on drug pricing. Predicting where drug pricing policies may or may not land has become an increasingly difficult task. Notable proposals, such as requiring drug manufacturers to include wholesale pricing in their advertisements or mandating that health insurers pass billions of dollars in rebates from drug manufacturers on to their Medicare recipients, have all been scrapped in recent months.
One of the last remaining ideas under consideration is the International Price Index, which would lower specific drug prices tied to Medicare by linking them to lower prices in other economically similar countries. This proposal, like the others, is not without controversy. Aside from pushback from the pharmaceutical industry, congressional Republicans consider this move a deviation from traditional free-market economics.
However, the Trump administration has promised to lower drug prices before the November 2020 election, and talks of an executive order that would deliver expansive cuts on the majority of the drugs sold to Medicare have begun to gain traction in the Oval Office. Although no further details have emerged from the White House or the Department of Health and Human Services, a decision is expected in the coming weeks. However, this plan could be delayed as a result of a recent proposal by Senators Chuck Grassley and Ron Wyden, which could save a proposed $100 billion in costs to government healthcare programs, including Tricare.
Despite the administration’s continued efforts, drug manufacturers have leveraged their power to fight each of these proposals, making it likely that they will not go into effect. If executed, they would cause large pharmaceutical players such as Eli Lilly, Pfizer, Roche and Bristol Myers Squibb, due to their massive contracts with Medicaid and Medicare, to see a significant sales hit. However, modified versions of various proposals continue to arise, and the fight for transparent, predictable drug pricing continues.
Drug pricing is anticipated to be a part of a larger healthcare overhaul expected to be announced soon by President Trump. As Democratic presidential candidates continue to apply pressure, touting major shifts in healthcare such as Medicare for All as a key campaign promise, additional items are expected to include revamped preexisting-conditions policies, new programs to help the uninsured, an overhaul of the Medicaid system and the enhanced ability to buy insurance plans directly from employers.
On November 28, 2016, the Centers for Medicare & Medicaid Services (CMS) implemented a Final Rule, Medicare and Medicaid Programs; Reform of Requirements for Long-Term Care Facilities, outlining the requirements that Long-Term Care Facilities must meet as a Condition of Participation (CoP). The implementation time frames were broken out into three phases. The third phase of that rule was required to be implemented by November 28, 2019; however, on July 22, 2019, CMS announced a Proposed Rule to amend the 2016 Final Rule to relax or eliminate some of the requirements titled Medicare and Medicaid Programs: Requirements for Long-Term Care Facilities: Regulatory Provisions to Promote Efficiency, and Transparency.
If finalized, the Proposed Rule may include a one-year extension on the implementation time frame of certain phase three provisions, including the Compliance and Ethics Program requirements (§483.85). Comments to the Proposed Rule were due no later than September 16, 2019, and the decision about whether the rule becomes the Final Rule should follow shortly thereafter.
While the proposed changes to the Final Rule include additional information, the complexity of the Compliance and Ethics Program requirement deserves some special attention. CMS stated that its intent was to “reduce a majority of the burden currently required under the compliance and ethics program that are not required in the statute because [CMS] believe[s] that the SNF and NF CoPs would have the appropriate safety and quality standards to support the compliance and ethics requirements with the proposed changes.”
The good news is that, for the most part, the 2019 Proposed Rule remains aligned with the 2016 Final Rule and more properly aligns LTC CoP Compliance Program requirements with the intentionally vague and less prescriptive language published by the Department of Health and Human Services’ Office of the Inspector General (OIG), the Department of Justice, and the Federal Sentencing Guidelines to describe the Elements of an Effective Compliance Program.
Additionally, while the 2016 Final Rule referenced it in the comments, the proposed rule specifically directs the reader to the OIG March 16, 2000, guidance entitled “Publication of the OIG Compliance Program Guidance for Nursing Facilities” (65 FR 14289) and the September 30, 2008, “OIG Supplemental Compliance Program Guidance for Nursing Facilities” (73 FR 56832). This is further confirmation that the OIG Compliance Program Guidance can be used as a guide in Evaluating the Effectiveness of your Compliance Program.
As of April 23, 2019, the Department of Health and Human Services (HSS) has issued a new interpretation of the annual limits for monetary civil penalties established by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) for healthcare providers, health plans and business associates that violate the Health Insurance Portability and Accountability Act (HIPAA), effective immediately. The new penalties are based on culpability or level of knowledge about the violation and whether steps were taken to correct any violations.
Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation: (1) the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision, (2) the violation was due to reasonable cause, and not willful neglect, (3) the violation was due to willful neglect that is timely corrected, and (4) the violation was due to willful neglect that is not corrected in a timely manner. The annual caps per violation were reduced in three of the four penalty tiers, while the minimum and maximum penalty per violation remain unchanged.
Proponents of the changes believe that they clear up inconsistencies in the original HITECH Act, that the maximum penalty an organization could be fined per year that a violation persisted is clearer, and that penalties are better aligned based on culpability. However, critics of the changes believe that organizations may have less incentive to fix persistent issues around their security and privacy practices, since the potential fines for failing to do so are much lower.
The new penalty structure will be in effect until further notice:
- Tier 1 (no knowledge of violation): $100 to $50,000 per violation; capped at $25,000 per year
- Tier 2 (reasonable cause): $1,000 to $50,000 per violation; capped at $100,000 per year
- Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation; capped at $250,000 per year
- Tier 4 (willful neglect, not corrected): $50,000 per violation; capped at $1.5 million per year
These changes come just as it was announced that 2018 was a record year for the enforcement of HIPAA violations, which totaled $28.7 million.
The key takeaway for healthcare organizations is to be proactive and take corrective steps to comply with the HIPAA requirements, knowing that, should an investigation promptly follow a breach, the monetary fines may be lower. Additionally, healthcare organizations should not wait until an issue occurs, but rather should create a culture of compliance with HIPAA that proactively assesses and manages privacy across the enterprise.
Automation, machine learning, digital transformation, artificial intelligence, disruptive innovations – these topics are getting a lot of attention across all industries, including healthcare, where there is added focus on understanding the implications on patient care, process efficiency and data security. Internal audit also plays a vital role in assessing the changing risk landscape with an understanding that traditional methodologies and conventional thinking are unlikely to continue addressing all the risks facing an organization. Internal audit must also take steps to help ensure that management undertakes innovation in a thoughtful and responsible manner.
The time is now. Adjusting and advancing the capabilities of internal audit is no longer simply a suggestion, but rather a necessity, as the healthcare industry is quickly moving toward greater use of advanced technologies. Analyzing digital healthcare records for populations of patients to determine cost of lives covered; utilization of telemedicine and telehealth to provide care to patients across the city, throughout the state, and even around the globe; and advancements of artificial intelligence in medicine are only a handful of real-world capabilities occurring today.
As the pace of innovation continues to accelerate, the internal audit profession faces a growing challenge to adapt to change while delivering on its core mission of protecting organizational value by providing risk-based and objective assurance, advice and insight.
Today, internal audit needs to think “next generation,” and reexamine the foundational elements of the internal audit function to become an agile, multiskilled and technology-enabled function. Internal audit functions should be able to recognize emerging risks and changes to the organization’s risk profile quickly, drive additional value through new delivery models, and act on risks timely to provide deeper, more valuable and up-to-date insights from audit activities and processes. A next-generation internal audit function seeks to effect holistic change through three key elements: governance, methodology and enabling technology.
Within the governance key element, next-generation auditing should include the following:
- Ensuring synergy between strategy and innovation, which can occur through defining internal audit’s strategic vision; establishing an innovation mindset, capability and culture; and including executive management’s strategic goals as key areas of focus.
- Evaluating internal audit’s resource capabilities, as new and evolving skill sets once considered technical will soon be considered core. This may require hiring/training new resources with key skill sets, developing capabilities of existing resources, and co-sourcing with a strategic partner who can bring specific skill sets to the organization that are not currently found in-house.
- Aligning internal audit’s function with other risk management functions across the organization to maximize the value of risk management and provide reasonable assurance through effective alignment, consistency and coordination. The next-gen vision and principles discussed herein can be applicable to all risk management lines of defense.
Sustaining a business model in the face of digitally enabled competition requires constant innovation to stay ahead of the change curve. Next-generation internal auditing is redefining the internal audit strategy and enabling an innovative culture that can better address the changing landscape, provide reasonable assurance based on new risks in the environment and drive the future of internal audit. Keeping pace with these advancements requires purposeful transformation of the internal audit function. And remember, this transformation is not simply about utilizing new technology to execute internal audit work in the same manner. Rather, internal audit functions need to rethink how they perform their work.
In the next volume, we will dive deeper into key steps for updating internal audit methodologies to be more innovative and technology enabled.
Everywhere you look, we are being asked to do more with less. With the rise of technological innovation, there is an expectation that people and processes become smarter, faster and better. The healthcare industry is no exception, and there is a general perception that healthcare systems have fat to trim. Through various pay-for-performance programs and cost-reduction initiatives, healthcare systems have cut costs and addressed the low-hanging fruit where they could but are now trying to figure out how to run a more efficient operation, with fewer resources than they’ve had previously, that will ultimately result in higher quality that can be definitively measured. Amid this change, business stakeholders today are asking internal audit to provide deeper and more valuable insights from audit activities and processes.
Historically, internal audit has performed periodic organizationwide risk assessments to develop an annual or multiyear audit plan. This audit plan generally results in point-in-time process audits that include a healthy level of onetime analytics to support the audit. The problem with this approach alone is that it is static and has not kept up with or been able to respond promptly to the dynamic nature of the business operations being audited. Just as the business has had to do, internal audit must reinvent itself and retool the audit process into one that is dynamic and allows internal audit to provide real-time risk-based and objective assurance, advice and insight.
One of the first steps internal audit departments can take in an effort to transition to a more dynamic process is to establish some level of continuous monitoring in the organization. Then, leverage analytics that have been performed in previous audits and establish a dashboard and key triggers that will alert internal audit to potential problems in the business. Define key actions to be taken based on these triggers and modify the process as needed to continually improve the feedback and subsequent action. Where possible, automate these analytics to obtain a continuous (or at least routinely refreshed) data feed that will automatically alert key internal audit process owners when a defined trigger has been exceeded.
Continuous monitoring is not a new concept in internal audit, but optimal processes have yet to be implemented in most internal audit functions. Furthermore, the specific analytics and required monitoring cadence is not one-size-fits-all. Continuous monitoring should be designed in a way that is specific to the needs of the organization and will change over time. There will be a learning curve as this process is implemented and new analytics are added. It should be expected that learning will occur after implementation and the process itself will need to be adjusted to optimize real-time feedback and subsequent actions. What is important is that internal audit starts building this process now. As it is refined, it will allow internal audit to proactively provide the business with insights that are valuable because they are dynamic.
As the opioid crisis continues, the headlines are filled with lawsuits against drug manufacturers and distributors filed by more than 2,000 communities across the United States that are bearing the burden of the epidemic through billions of dollars in treatment, overdose remedies, education, law enforcement and other expenses.
In April 2019, from initial data, the Department of Health and Human Services reported progress in fighting the opioid crisis. Early data has reported a 34% decrease in opioid prescriptions based on monthly reports between January 2017 and February 2019. Additionally, a 3.3% decrease in provisional overdose death counts from the previous year was reported by the Centers for Disease Control and Prevention. The nation is moving in the right direction, but there is still work to be done. This battle must be fought collaboratively with entire communities – including healthcare providers, community leaders, parents, teachers and the justice system.
Hospitals across the country are working to mobilize their efforts in these key areas:
- Provider education for how to assess, treat and monitor patients with chronic versus acute pain needs and/or substance use disorder (SUD)
- Increased referrals to mental health and inpatient/outpatient SUD programs and medication-assisted treatment (MAT) for patients seen in an emergency department or inpatients with identified SUD or SUD risk
- Patient education related to managing pain and the risks of opioids
- Increased access to prescribing MAT
- Increased education and access to drugs for opioid-overdose reversal
- Monitoring payer authorization and reimbursement requirements for opioid prescriptions; for example, certain commercial and managed care payers have started to require prior authorization for opioid prescriptions and to limit the volume of reimbursable opioid medications based on certain quantity and concentration limits
- Removing the stigma of substance abuse and educating staff on proper terminology and clinical support for SUD
- Utilizing opioid predictive modeling to identify patients at higher risk for SUD and guide clinical decision-making
Additionally, facilities are doing better at monitoring their progress, including these key benchmarks:
- Monitoring prescribing practices by physicians (including prescribing patterns/outliers, compliance with Centers for Disease Control and Prevention and state or internal guidelines, prescribing of opioids with benzodiazepines, and so on)
- PDMP usage and integration into electronic health records
- Overdoses and overdose deaths (Naloxone administrations for both inpatients and patients coming into the ED)
- Frequency of pain assessments and identification of patients at risk for SUD/OUD
- Treatment referrals for patients with SUD/OUD
On April 30, 2019, the Criminal Division of the Department of Justice (DOJ) published enhanced guidance for evaluation of corporate compliance programs. Prosecutors attempt to evaluate the effectiveness of an organization’s compliance program following a determination of noncompliance. The prosecutor’s opinion as to the effectiveness of the compliance program can impact a range of outcomes, including the decision to file charges, plea agreements and sentencing recommendations. It is important to note, however, that this guidance does not replace or diminish multiple publications from the Department of Health and Human Services’ Office of the Inspector General regarding compliance programs, which would likely remain the core standards used should they (as opposed to the DOJ) evaluate an organization’s program.
The DOJ guidance poses a few new questions for compliance program evaluators to consider and reinforces many elements with which healthcare industry compliance professionals should already be familiar. The DOJ’s framework poses three “fundamental questions” about which prosecutors should reach a conclusion:
- Is the corporation’s compliance program well-designed?
- Is the program being applied earnestly and in good faith?
- Does the corporation’s compliance program work in practice?
Is the corporation’s compliance program well-designed?
When evaluating compliance programs, prosecutors are instructed to consider whether it is designed for “maximum effectiveness.” The DOJ lists evaluative questions for six key areas of focus within an organization, summarized below:
- Does the corporation have a comprehensive and methodical risk assessment process and a compliance program that evolves over time to reflect the determinations of those risk assessments?
- Does the company have well-designed, well-implemented and well-known policies and procedures that reduce legal or regulatory compliance risk identified by risk assessments or previous findings of noncompliance?
- Does the organization have a robust and well-evaluated compliance training and communications initiative that educates stakeholders on role-based compliance risk areas and associated policies and procedures as well as lessons learned by previous compliance incidents?
- Does the entity have a well-publicized confidential reporting mechanism? Are the firm’s compliance-related investigations comprehensive and well-documented?
- Does the corporation have a process to identify and proactively monitor high-risk vendor relationships (e.g., physicians and business associates)?
- Does the compliance function have a clearly defined due diligence role in the company’s merger and acquisition process?
Is the program being applied earnestly and in good faith?
A comprehensively designed compliance program still needs life breathed into it by committed management and a staff of appropriate size and talent, along with the buy-in of rank-and-file employees. Prosecutors are instructed to probe the day-to-day impact of the compliance program to ensure that the firm’s commitment to compliance is more than just lip service and dusty policies:
- Has senior management demonstrated “rigorous adherence” to ethical standards via concrete actions? Is the board actively and effectively engaged in providing compliance oversight?
- Is the organization’s compliance officer role sufficiently endowed with seniority, autonomy and empowerment? Does the compliance function have sufficient resources to “effectively undertake the requisite auditing, documentation, analysis” and investigations?
- Does the firm consistently and effectively use incentives and discipline to promote compliant outcomes?
Does the corporation’s compliance program work in practice?
Prosecutors are required to assess “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of the charging decision.” While a protracted compliance investigation and adjudication process gives a violator plenty of time to bolster its compliance program, from the standpoint of having one’s program be a mitigating factor, it’s too late. “In assessing whether a company’s compliance program was effective at the time of the misconduct, prosecutors should consider whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.” Questions to guide prosecutors’ decisions include:
- Does the company’s compliance program improve and evolve over time to adapt to new initiatives or changes to the regulatory landscape? Are resources deployed and prioritized based on the organization’s current risk profile? How and how often does the company measure its culture of compliance?
- Are concerns of misconduct investigated promptly and thoroughly to identify any root causes, system vulnerabilities and accountability lapses?
- Are known issues remediated effectively and promptly? Are managers held accountable for noncompliance within their spheres of influence?
Now is the time to update any program effectiveness assessment frameworks healthcare providers use with new ideas and lines of inquiry suggested by the DOJ guidance. The program evaluation process is still very much a subjective one; what is right for one program is not necessarily right for your program. If only one thing is to be gleaned from the new guidance, it is that the DOJ expects proactive, methodical and evolving compliance efforts from your organization. Your program should be improving over time and with purpose.
Since 2013, the Centers for Medicare & Medicaid Services (CMS) has been expanding Medicare reimbursement for services furnished to beneficiaries outside a clinic or hospital. One of its biggest steps toward accepting this new paradigm was on January 1, 2015, when CMS started payment for chronic care management (CCM) services under CPT code 99490. Since then, with each iteration of the Final Rule, CMS has materially revised and expanded the types of services for which Medicare pertaining to telehealth will reimburse providers. Additionally, Medicare Advantage plans now accept and reimburse for a wide range of telehealth services.
While most state Medicaid plans are expanding their reimbursement for telehealth services, others continue to place restrictions or limitations on telehealth. The most movement in reimbursement in the previous year or two has been in real-time video, while store-and-forward and remote patient monitoring continue to lag behind. The most important recent Medicaid changes have included legislation enacted to bring parity for reimbursement between telehealth and in-person visits, which have resulted in providing an ROI for telehealth services. New legislation has been enacted that broadens Medicaid policy, establishes regulatory requirements and enacts interstate licensure compacts.
Recently, CMS revised its interpretation of the statutory requirements for reimbursement of telehealth-delivered services under Medicare, which is currently limited by Section 1834(m) of the Social Security Act, restricting the use of telehealth to certain services, providers, technology (mainly live video) and patient locations (healthcare facilities in rural areas). However, in the finalized Calendar Year (CY) 2019 Physician Fee Schedule, CMS states that its obligation to impose restrictions on telehealth services will apply only to “the kinds of professional services explicitly enumerated in the statutory provisions, like professional consultations, office visits and office psychiatry services.” Certain other services furnished remotely are not considered “Medicare telehealth services” and are not subject to the restrictions.
Consequently, CMS has created reimbursement and coding requirements for virtual check-ins (HCPCS G2012), remote evaluation of prerecorded patient information (HCPCS G2010) and interprofessional internet consultations (CPT codes 99452, 99451, 99446, 99447, 99448 and 99449). Provider health information management and coding teams should review the specific definitions and requirements of these new codes to ensure they are appropriately assigning them and provide education to providers on the correct use of these codes in order to ensure appropriate reimbursement and avoid any compliance issues.
In addition to the significant changes outlined in the CY 2019 Physician Fee Schedule, CMS developed allowances for additional originating sites and geographic exemptions for the monitoring and treatment of end-stage renal disease and for psychological services. CMS added new codes for remote physiologic monitoring (99453, 99454 and 99457) and chronic care management (99491).
Finally, effective January 1, 2019, MACs will accept the new informational HCPCS modifier G0 in association with the Place of Service (POS) code 02, which notates the use of telehealth services to remotely monitor and evaluate potential acute stroke patients. Many health systems are taking advantage of this new reimbursement incentive to evaluate acute stroke patients by setting up telehealth programs. Telehealth started as a way to reach people in remote areas but has evolved to be a convenient and cost-effective way to receive healthcare in a number of settings (inpatient intensive care, outpatient primary care and pediatrics, chronic disease management, behavioral and mental health, and outpatient specialty care, including dermatology, ophthalmology and obstetrics).