Hospitals and Compliance
Hospitals are being squeezed on many fronts – government reimbursement for medical services are declining, government regulatory requirements are increasing, and the prospects for improvement are dwindling. Medicare and Medicaid payments come with so many restrictions and conditions that healthcare providers, including hospitals, face serious business calculations on whether or not serving whole classes of patients are economically worth the trouble.
Looking over the legal and compliance risk landscape, hospitals face continuing risks under the False Claims Act, the Stark law and the Health Insurance Portability and Accountability Act (“HIPAA”). Current trends in each of these areas underscore increased risk of enforcement and burdens from compliance.
The False Claims Act continues to top the list of risks for every healthcare provider, including hospitals. Government prosecutors secured a legislative wish-list of FCA provisions which all but guaranteed the government would increase its advantage in every investigation. The FCA has become a catch-all way for the government to secure large financial settlements from hospitals for sloppy record-keeping or situations where the intent evidence is mixed.
The whistleblower cottage industry continues to grow as more attorneys seek out plaintiffs to launch lucrative FCA cases against hospitals and others with deep pockets. The government embraces this regime as an effective way to leverage limited investigative and prosecution resources. Hospitals have on incentive to fight these cases since the cost of litigating and putting the government to its proof is prohibitive.
Stark law violations have grown in importance as well – first as a predicate for FCA cases but as stand-alone enforcement matters. The government has created an almost impenetrable set of requirements and restrictions around physician relationships that hospitals cannot even figure out how to comply with the possible violations. More and more hospitals are employing their own physicians which eliminates a number of Stark law restrictions. However, a significant percentage of physicians (approximately 70 percent) continue to have a variety of financial relationships with hospitals, and the risk increases that such arrangements may result in prohibited referrals to the physician.
The Stark law has numerous permutations, safe harbors and possible exclusions. The law has broad application to hospital-physician relationships, including: (1) employment terms and joint management terms; (2) on-call coverage arrangements; (3) acquisitions; (4) joint ventures; (5) medical directorships; (6) office purchase or leasing arrangements; and (7) related services.
Hospitals are used to dealing with HIPAA requirements and restrictions. What they are not used to is an aggressive enforcement environment and expansion of HIPAA requirements to business partners. HHS’ Office of Civil Rights is enforcing HIPAA requirements on privacy and overall data security, especially as part of “meaningful use” requirements.
Hospitals have been paying settlements around $1 million for specific data infirmities, including loss of data, unauthorized access to personal health information, and theft of unsecured data.
In this environment, hospitals need to devote more attention to focused and proactive compliance programs. It is tough for hospitals to allocate more resources given the tightening financial situation. It is important to focus on some basic compliance tasks, including: (1) regular internal audits; (2) active enforcement of enforcement standards; (3) training and education; (4) respond promptly and carefully to potential compliance issues; and (5) devote more attention to communications with managers, employees and the board.